CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
15.5%
sequelize-typescript is vulnerable to Prototype Pollution. The vulnerability is due to the deepAssign
function which does not check if the attribute resolves to the object prototype and hence it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be exploited by an attacker via replacing malicious attributes with the existing once.