js · @deepstream/serverCritical
@deepstream/server <=10.0.4 Prototype Pollution Privilege Escalation
Prototype pollution vulnerability in deepstream server versions <=10.
What changed
Prototype pollution vulnerability in deepstream server versions <=10.0.4 allows privilege escalation from any authenticated user with write permission to any record.
Who it affects
All users of deepstream/server versions <=10.0.4, especially those with authenticated users having write permissions.
What to do today
Upgrade to version 10.0.5 or apply workaround by filtering out messages containing paths __proto__, constructor, prototype before they reach the server's message pipeline.
The trail
Collected→
Audited→
Written→
Published