CVE-2023-45811 HIGH

CVE-2023-45811: Prototype pollution vulnerability leading to arbitrary code execution in synchrony deobfuscator

Vendor Relative
Product synchrony
Weakness CWE-1321
Published October 17, 2023
Last update September 13, 2024

CVSS base score

8.2/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Synchrony deobfuscator is a javascript cleaner & deobfuscator. A `__proto__` pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A `__proto__` pollution vulnerability exists in the `LiteralMap` transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in `deobfuscator@2.4.4`. Users are advised to upgrade. Users unable to upgrade should launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flags

Key dates

02Disclosure timeline

October 17, 2023 CVE published
September 13, 2024 Record updated