CVE-2019-10805

HIGH

Sideralis Valib.js < 2.0.0 - Exposure to Wrong Actor

Title source: rule

Description

valib through 2.0.0 allows Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function (hasOwnProperty) from the unsafe user-input to examine an object. It is possible for a crafted payload to overwrite this function to manipulate the inspection results to bypass security checks.

References (2)

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-VALIB-559015

[Third Party Advisory] https://www.npmjs.com/package/valib

Scores

CVSS v3 7.5

EPSS 0.0023

EPSS Percentile 45.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-668

Status published

Affected Products (2)

sideralis/valib.js < 2.0.0

npm/valib npm

Timeline

Published Feb 28, 2020

Tracked Since Feb 18, 2026