Miggo Logo
Miggo Vulnerability Database
CVE-2022-37264

CVE-2022-37264:
steal vulnerable to Prototype Pollution via optionName variable

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-37264
GHSA ID
GHSA-8f8g-9j73-7p82
EPSS Score
0.34305%
CWE
CWE-1321
Published
9/16/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
stealnpm<= 2.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the extend function's unsafe property assignment logic (d[p] = v). This pattern is a known prototype pollution vector when handling untrusted input. The CVE description explicitly references the optionName variable as the attack vector, which would flow through this function. The code structure matches classic prototype pollution patterns in JavaScript utilities that merge objects without prototype checks. The linked line 2194 in main.js contains the extend implementation, confirming its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution vuln*r**ility in st**ljs st**l *.*.* vi* t** optionN*m* v*ri**l* in m*in.js.

Reasoning

T** vuln*r**ility st*ms *rom t** *xt*n* *un*tion's uns*** prop*rty *ssi*nm*nt lo*i* (*[p] = v). T*is p*tt*rn is * known prototyp* pollution v**tor w**n **n*lin* untrust** input. T** *V* **s*ription *xpli*itly r***r*n**s t** optionN*m* v*ri**l* *s t**