Miggo Logo
Miggo Vulnerability Database
CVE-2022-37617

CVE-2022-37617:
thlorenz browserify-shim vulnerable to prototype pollution

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-37617
GHSA ID
GHSA-866w-wm4h-95c6
EPSS Score
0.29326%
CWE
CWE-1321
Published
10/12/2022
Updated
4/22/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
browserify-shimnpm<= 3.8.153.8.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the unvalidated 'k' variable in Object.keys(shims).forEach loop within separateExposeGlobals. The GitHub patch adds explicit checks to skip 'proto' and 'constructor' keys, confirming this was the attack vector. The CVE description and commit diff both point to this function as the vulnerable code path that permitted prototype pollution through shim key manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution vuln*r**ility in *un*tion `r*solv*S*ims` in r*solv*-s*ims.js in t*lor*nz *rows*ri*y-s*im *.*.** vi* t** `k` v*ri**l* in r*solv*-s*ims.js.

Reasoning

T** vuln*r**ility st*ms *rom t** unv*li**t** 'k' v*ri**l* in O*j**t.k*ys(s*ims).*or**** loop wit*in s*p*r*t**xpos**lo**ls. T** *it*u* p*t** ***s *xpli*it ****ks to skip '__proto__' *n* '*onstru*tor' k*ys, *on*irmin* t*is w*s t** *tt**k v**tor. T** *V