Vulnerability Details CVE-2023-30857
@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.6%
CVSS Severity
CVSS v3 Score 3.7
References
Products affected by CVE-2023-30857
-
cpe:2.3:a:aedart:ion:-
-
cpe:2.3:a:aedart:ion:0.1.0
-
cpe:2.3:a:aedart:ion:0.1.1
-
cpe:2.3:a:aedart:ion:0.2.0
-
cpe:2.3:a:aedart:ion:0.3.0
-
cpe:2.3:a:aedart:ion:0.3.1
-
cpe:2.3:a:aedart:ion:0.4.0
-
cpe:2.3:a:aedart:ion:0.5.0
-
cpe:2.3:a:aedart:ion:0.6.0