Critical Vulnerability Found in 'express-fileupload', Upgrade Urged
A critical vulnerability in the popular NodeJS component 'express-fileupload' has been discovered. The Prototype Pollution vulnerability, identified as CVE-2020-7699, allows attackers to cause Denial of Service (DoS) and potentially execute remote code. Sonatype recommends upgrading to version 1.1.10 or above to patch the issue.
The vulnerability was first spotted by security researcher Posix at the end of July. Although a partial fix was applied in version 1.1.8, attackers could still bypass it. The 'express-fileupload' team has since released versions 1.1.9 and above with improved fixes and extended protections.
The 'express-fileupload' component is widely used by developers due to its robust file upload options. However, its popularity also makes it an attractive target for attackers. Prototype Pollution vulnerabilities, like the one found in 'express-fileupload', can be exploited to alter JavaScript objects and properties. The severity of such vulnerabilities depends on where the component is used within an application.
To protect against this vulnerability, Sonatype advises upgrading to 'express-fileupload' version 1.1.10 or later. This will ensure the most up-to-date protections against Prototype Pollution and other potential security threats. As always, keeping components up-to-date is a crucial part of maintaining a secure development environment.
