GHSA-9v98-6g37-x9g6CriticalCVSS 9.9
deepstream is vulnerable to prototype pollution
🔗 CVE IDs covered (1)
📋 Description
Impact
Prototype pollution in deepstream server v <=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.
Patches
Yes, upgrade to v10.0.5
Workarounds
Filter out all messages containing the path __proto__, constructor, prototype, before they reach the server's message pipeline
🎯 Affected products1
- npm/@deepstream/server:< 10.0.5