CVE-2023-30857

LOW

Aedart Ion < 0.6.1 - Prototype Pollution

Title source: rule

Description

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.

References (2)

[Vendor Advisory] https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

[Patch] https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291

View Patch ZIP pw:eip

Scores

CVSS v3 3.7

EPSS 0.0030

EPSS Percentile 52.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

aedart/ion < 0.6.1

aedart/support 0 - 0.6.1npm

Published Apr 28, 2023

Tracked Since Feb 18, 2026