7.3
CVSS V3
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
The ini
npm package before version 1.3.6 has a Prototype Pollution vulnerability.
If an attacker submits a malicious INI file to an application that parses it with ini.parse
, they will pollute the prototype on the application. This can be exploited further depending on the context.
This has been patched in 1.3.6.
payload.ini
poc.js: