|
|
|
|
|
|
by black3r
1269 days ago
|
|
|
I understand prototype pollution in JavaScript and know it can be serious, but seeing it get 9.8/10 in libraries like minimist, which only parse process.argv, with CVSS scoring mentioning a "network" attack vector, is by itself contributing to security fatigue. Not to mention that I've seen a couple of cases where the user isn't really able to control a, b & c, or like the one I mentioned, where it's just `obj[a] = b`, where both are controllable by the user, but `b` can't be an object (it's either null, true, false, or a string), so it shouldn't be exploitable at all, yet it still scored a severity of 9.8/10... I'm not saying we should completely ignore bug reports of these types just because there's lot of noise among them, just that when a CVE is filed with a critical severity and without a PoC exploit, someone should verify that the reported scoring is sensible before millions of developers using supply chain auditing tools get annoyed with a false positive... |
|
|