AIKIDO-2025-10941
@mparticle/web-sdk is vulnerable to Prototype Pollution
63
Medium Risk
This Affects:
@mparticle/web-sdkTL;DR
Affected versions of this package are vulnerable to Prototype Pollution via the extend() helper function due to insufficient validation when merging objects; an attacker could exploit this by passing a malicious object containing properties like __proto__, prototype, or constructor to merge operations, potentially allowing them to modify the Object prototype and inject or alter properties that exist on all objects, leading to unexpected behavior, denial of service, or remote code execution in the worst-case scenario, which was mitigated by adding validation to skip these reserved properties during extension.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@mparticle/web-sdk is vulnerable to Prototype Pollution in versions 2.10.0 - 2.50.1.
How to fix this
Upgrade the @mparticle/web-sdk library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant