facebook
react-native-codegen 0.0.7 transitive package unset-value/1.0.0 have known vulnerability security issue
Description
react-native-codegen 0.0.7 transitive package unset-value/1.0.0.0 have known vulnerability security issues. We are using unset-value/1.0.0 transitive package under react-native-codegen 0.0.7 library, unset-value/1.0.0 transitive package having security issue ie.. unset-value is vulnerable to a prototype pollution attack. A remote attacker may be able to execute arbitrary code or cause a denial-of-service (DoS) by tricking the library into modifying or adding properties of Object.prototype. and CVE: BDSA-2021-4507 RCE
We would expect to fix BDSA-2021-4507 RCE) for unset-value/1.0.0 transitive package, upgrading react-native-codegen 0.0.7 latest version
Version
react-native-codegen 0.0.7
Output of npx react-native info
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: support for ECMAScript is superseded by uglify-js as of v3.13.0
Steps to reproduce
Run the SCA using Blackduck found transitive package unset-value/1.0.0.0 vulnerable and CVE: BDSA-2021-4507 RCE
Snack, code example, screenshot, or link to a repository
NA
