CVE-2022-25296 — Prototype Pollution in Project Bodymen

CWE-1321 — Prototype Pollution CWE-78 — OS Command Injection CWE-138 — Improper Neutralization of Special Elements6 documents5 sources

Severity

7.3HIGHNVD

GHSA6.3OSV6.3CISA8.8

EPSS

0.3%

top 49.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bodymen Project Bodymen

Timeline

PublishedMar 17

Latest updateMar 18

Description

The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages2 packages

▶NVDbodymen_project/bodymen1.1.1

▶npmbodymen_project/bodymen

🔴Vulnerability Details

GHSA

Prototype Pollution in bodymen↗2022-03-18

▶

OSV

Prototype Pollution in bodymen↗2022-03-18

▶

📋Vendor Advisories

CISA

Nagios XI OS Command Injection↗2022-01-18

▶