Prototype Pollution in async
High severity
GitHub Reviewed
Published
Apr 7, 2022
to the GitHub Advisory Database
•
Updated Feb 13, 2024
Package
Affected versions
>= 3.0.0, < 3.2.2
>= 2.0.0, < 2.6.4
Patched versions
3.2.2
2.6.4
Description
Published by the National Vulnerability Database
Apr 6, 2022
Published to the GitHub Advisory Database
Apr 7, 2022
Reviewed
Apr 7, 2022
Last updated
Feb 13, 2024
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the
mapValues()
method.References