VDB

CVE-2021-23413

CVE-2021-23413 PUBLISHED

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

EPSS 1.21% · 79.4th percentile

Risk Scores

EPSS Score
1.21%
79.4th percentile

Affected Products

VendorProductVersions
Ubuntu:25.10node-jszip3.10.1+dfsg-2, 0
Ubuntu:18.04:LTSnode-jszip0, 3.1.4+dfsg-1
Ubuntu:22.04:LTSnode-jszip0, 3.5.0+dfsg-2, 3.7.1+dfsg-1
Ubuntu:20.04:LTSnode-jszip3.2.2+dfsg-1, 0
Ubuntu:24.04:LTSnode-jszip0, 3.10.1+dfsg-2

Timeline

  • Jul 25, 2021 CVE Published
  • Jul 26, 2021 EPSS Score
  • Aug 27, 2021 CVE Updated
  • Sep 23, 2021 EPSS Score
  • Nov 21, 2021 EPSS Score
  • Jan 20, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Mar 20, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • Jul 17, 2022 EPSS Score
  • Sep 15, 2022 EPSS Score
  • Nov 13, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›