Skip to content

[GHSA-gvwq-6fmx-28xm] node-opcua-alarm-condition prototype pollution vulnerability #5474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: tariqhawis/advisory-improvement-5474
Choose a base branch
from
Open

[GHSA-gvwq-6fmx-28xm] node-opcua-alarm-condition prototype pollution vulnerability #5474

wants to merge 1 commit into from

Conversation

tariqhawis
Copy link

Updates

  • CVSS v3
  • References
  • Severity

Comments
Removed an issue link unrelated to the vulnerability.
Details: the removed issue link is opened by a user to confirm the status of the vulnerability, which is already fixed b y the maintainer based on our original private report in Nov, 2024.
The credited user should be replaced by the original one (tariqhawis).

@Copilot Copilot AI review requested due to automatic review settings April 21, 2025 13:58
Copilot
Copilot AI reviewed Apr 21, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

@github-actions github-actions bot changed the base branch from main to tariqhawis/advisory-improvement-5474 April 21, 2025 13:59
@shelbyc
Copy link
Contributor

shelbyc commented Apr 21, 2025

Hi @tariqhawis, the other person has credit on GHSA-gvwq-6fmx-28xm for #5448, which added a reference link that indicated that the issue was fixed in version 2.137.0. If that information is correct, then the other person should still have credit.

Reporter/finder/anything other than analyst credit is only available on advisories that are sourced from repository GitHub Security Advisories, and those credits are provided by the repository maintainers. GHSA-gvwq-6fmx-28xm is sourced from NVD, so the only credits available are analyst credits from community contributions. Many reporters get credit on advisories by enhancing the advisories with information from their initial vulnerability reports, so that the advisory description contains more than the text of the CVE record.

I have some questions about your contribution:

Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.

If so, do you consent to changing the CVSS in the advisory and having this text from your vulnerability report appear in the description of GHSA-gvwq-6fmx-28xm, which would result in having analyst credit added for you to GHSA-gvwq-6fmx-28xm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tariqhawis @shelbyc