9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-37257

GHSA ID

GHSA-93q5-3xpc-8vg3

EPSS Score

0.3434%

CWE

CWE-1321

Published

9/16/2022

Updated

1/30/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-37257

CVE-2022-37257: steal vulnerable to Prototype Pollution via requestedVersion variable

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal via the requestedVersion variable in the npm-convert.js file.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-37257

GHSA ID

GHSA-93q5-3xpc-8vg3

EPSS Score

0.3434%

CWE

CWE-1321

Published

9/16/2022

Updated

1/30/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
steal	npm	<= 2.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how 'requestedVersion' is processed in convertLater. The function stores callback functions using user-controlled 'requestedVersion' as an object key without prototype protection. When attackers provide malicious version strings like 'proto', they can modify the prototype chain. This matches the CWE-1321 pattern of improper prototype modification. The GitHub advisory specifically calls out 'requestedVersion' in npm-convert.js as the injection vector, and the code shows direct use of this variable in key assignment without safe property checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution vuln*r**ility in *un*tion *onv*rtL*t*r in npm-*onv*rt.js in st**ljs st**l vi* t** r*qu*st**V*rsion v*ri**l* in t** npm-*onv*rt.js *il*.

Reasoning

T** vuln*r**ility st*ms *rom *ow 'r*qu*st**V*rsion' is pro**ss** in *onv*rtL*t*r. T** *un*tion stor*s **ll***k *un*tions usin* us*r-*ontroll** 'r*qu*st**V*rsion' *s *n o*j**t k*y wit*out prototyp* prot**tion. W**n *tt**k*rs provi** m*li*ious v*rsion

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-37257: steal vulnerable to Prototype Pollution via requestedVersion variable

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI