@lexical/yjs is vulnerable to Prototype Pollution
48
Medium Risk
The @lexical/yjs collaboration binding applies remote node-state and property attributes received from other peers. Unknown attributes are written directly from the deserialized payload, so a malicious peer can send a __proto__ attribute that pollutes the object prototype during a collaborative session. This can inject or override state values that the application later reads. The fix applies a guard that skips __proto__, constructor, and prototype keys when importing remote attributes.
You are affected if you are using a version that falls within the vulnerable range and your application uses Yjs-based collaboration with untrusted remote peers.
@lexical/yjs is vulnerable to Prototype Pollution in versions 0.37.0 - 0.45.0.
Upgrade the @lexical/yjs library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant