-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScript| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| node-gettext | npm | <= 3.0.0 |
Miggo AIRoot Cause AnalysisThe vulnerability description explicitly identifies addTranslations() in gettext.js as the entry point. The function's code (visible in the provided GitHub link) directly assigns user-controlled 'locale' and 'translations' to an internal catalog object without validation. By using 'proto' as the locale, attackers can pollute the Object.prototype. The PoC in the Snyk report confirms this vector by demonstrating pollution via {}.polluted after calling addTranslations with malicious parameters. The lack of input sanitization and the direct prototype manipulation through object properties align with CWE-1321 (Prototype Pollution).
Ongoing coverage of React2Shell