ash is vulnerable to Attribute Injection
59
Medium Risk
Affected versions of Ash do not consistently filter private action arguments (public?: false) from user-supplied parameter maps, allowing attackers to set values intended for trusted server-side code. Applications that expose actions with private arguments to untrusted users may be vulnerable to integrity violations or privilege escalation if those arguments influence authorization, identity, or record ownership.
You are affected if you are using a version that falls within the vulnerable range.
ash is vulnerable to Attribute Injection in versions 3.0.0 - 3.29.2.
Upgrade the ash library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant