CVE-2023-45811

Summary

Synchrony deobfuscator is a javascript cleaner & deobfuscator. A __proto__ pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A __proto__ pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in deobfuscator@2.4.4. Users are advised to upgrade. Users unable to upgrade should launch node with the [–disable-proto=delete][disable-proto] or [–disable-proto=throw][disable-proto] flags

Affected Software

VendorProductVersion RangeStatus
relativesynchrony>= 2.0.1, < 2.4.4affected

Weaknesses

  • CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References