CVE-2023-30857
LOWaedart/ion < 0.6.1 - Prototype Pollution in MetadataRecord Merge
Title source: llmDescription
@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6
Patch x_refsource_misc
https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291
Scores
CVSS v3
3.7
EPSS
0.0048
EPSS Percentile
37.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1321
Status
published
Products (2)
aedart/ion
< 0.6.1
aedart/support
0 - 0.6.1npm
Published
Apr 28, 2023
Tracked Since
Feb 18, 2026