jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
An attacker can inject arbitrary properties into the JavaScript object prototype through the s.contexts._.configure function. Prototype pollution involves modifying the global Object.prototype, which affects the behavior of all objects in the application. Through appropriately crafted input data, an attacker can trigger arbitrary code execution (RCE) or cause the application to crash (DoS). The vulnerability can be exploited remotely, without authentication and without user interaction.
An attacker can execute arbitrary code on the server side or in a client application using the vulnerable library, and can also completely disable its operation by triggering a Denial of Service.
Patches available from the vendor should be applied according to the references. It is recommended to update the RequireJS library as soon as possible to a version higher than 2.3.6 and verify all project dependencies that use this library.
jrburke RequireJS version 2.3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H