exact-mirror is vulnerable to Code Injection
59
Medium Risk
exact-mirror compiles a value-mirroring function from a TypeBox/OpenAPI schema by building JavaScript source and passing it to Function. Schema property names are embedded directly into that generated source, and before the fix non-identifier names were inserted as raw, unescaped string literals via encodeProperty and joinProperty. A property name containing a quote, backtick, or other special character can break out of the literal and inject attacker-controlled JavaScript into the generated function, which executes when the mirror is compiled or invoked. The fix detects safe identifiers with a strict regex and escapes property names with JSON.stringify using bracket access.
You are affected if you are using a version that falls within the vulnerable range and build mirrors from schemas whose property names come from untrusted input.
exact-mirror is vulnerable to Code Injection in versions 0.0.0 - 1.1.0.
Upgrade the exact-mirror library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant