CVE-2023-30857

low-risk

Published 2023-04-28

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.

Do I need to act?

0.28% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.7/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Ion

Affected Vendors

Aedart

References (4)

Patch https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291

Vendor Advisory https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

Patch https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291

Vendor Advisory https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

/ 100

low-risk

Severity 13/34 · Low

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal