-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @andrei-tatar/nora-firebase-common | npm | >= 1.0.41, < 1.12.3 | 1.12.3 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability stems from updateStateInternal's key iteration logic. The pre-patch code lacked checks for prototype-pollution vectors (proto/constructor/prototype) when recursively merging objects. The commit explicitly adds an 'ignoreKeys' filter to address this, and the test case confirms the fix by verifying proto manipulation is blocked. The CVE description and PoC both target this function's handling of the 'update' parameter, making it the clear entry point for the exploit.
Ongoing coverage of React2Shell