Prevent exploitation of CVE-2021-23440

[Jacc0]

Hi @jonschlinkert , we are urgently looking for a patch for version 2.0.1 to intergrade into Angular
Reading the POC I think this solution might prevent exploitation.

Do you have time to review/test?

[wejendorp]

Testing out the PoC from the report, v2.0.1 does not seem to be vulnerable.

git checkout 2.0.0
rm -rf node_modules package-lock.json && npm i && node poc.js

AssertionError [ERR_ASSERTION]: 'Yes! Its Polluted' == undefined

git checkout 2.0.1
rm -rf node_modules package-lock.json && npm i && node poc.js

No error

[shashi4a6]

Testing out the PoC from the report, v2.0.1 does not seem to be vulnerable.

git checkout 2.0.0
rm -rf node_modules package-lock.json && npm i && node poc.js

AssertionError [ERR_ASSERTION]: 'Yes! Its Polluted' == undefined

git checkout 2.0.1
rm -rf node_modules package-lock.json && npm i && node poc.js

No error

Hi, I am currently working on to fix the vulnerability reported for version 2.0.1. Do you mean the current version 2.0.1 is not vulnerable and no need to update to new version. If not, can you please let me know when can we have a patch available for this.

[jonschlinkert]

Sorry for the late reply. I think @wejendorp is correct, I'm fairly certain this was resolved. Can you provide a failing unit test to demonstrate where the vulnerability persists?

[Jacc0]

I'll accept your analysis to be correct