-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScript| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| steal | npm | <= 2.3.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the extend function's unsafe property assignment logic (d[p] = v). This pattern is a known prototype pollution vector when handling untrusted input. The CVE description explicitly references the optionName variable as the attack vector, which would flow through this function. The code structure matches classic prototype pollution patterns in JavaScript utilities that merge objects without prototype checks. The linked line 2194 in main.js contains the extend implementation, confirming its role in the vulnerability.
Ongoing coverage of React2Shell