Beware of Prototype Pollution in rangy JavaScript library

CVECVE-2023-26102
CVSScvssV3_1: 7.5
SourceCVE-2023-26102

The popular JavaScript library rangy, used for text selection and manipulation, is vulnerable to a risk called Prototype Pollution.

Prototype Pollution refers to objects being able to modify other objects by adding or modifying properties. In rangy, the extend() function merges objects in a way that allows an attacker to potentially add or modify properties of the Object prototype.

Since the Object prototype is at the top of the prototype chain, this could allow attackers to modify existing constructors or add new properties/methods to all objects. This may lead to security issues like data theft or code execution if not properly validated.

The vulnerability affects all versions of rangy prior to fixing this issue. To protect yourself, update to the latest version of rangy as soon as possible. You can also implement input validation for any properties/methods added to objects to prevent malicious payloads.

If using rangy, be aware of this risk and update immediately. Prototype Pollution vulnerabilities can have serious consequences if exploited, so keeping your dependencies up-to-date is important for security.

References