Last 12 weeks · 0 commits
4 of 6 standards met
We found that a maliciously crafted user-input object can type detection result of component-type module. The vulnerability is from the following code: component-type leverages the _isBuffer property from unsafe user-input to detect buffer type information. However, a crafted payload can overwrite this property to manipulate the type detection result. https://github.com/component/type/blob/a581cc14d0b46b8a4c96e2fc99fa76cd7faef5d9/index.js#L39-L46 Reproduce Script
Repository: sindresorhus/component-type. Description: Type assertions aka less-broken `typeof` Stars: 96, Forks: 21. Primary language: JavaScript. Languages: JavaScript (100%). License: MIT. Latest release: v2.0.0 (2y ago). Open PRs: 0, open issues: 0. Last activity: 2y ago. Community health: 85%. Top contributors: tj, juliangruber, sindresorhus, Swatinem, ianstormtaylor, chemzqm, chrissrogers, cristiandouce, dominicbarnes, ForbesLindesay and others.