CVE-2022-21824 The "console.table()" function can't handle user-controlled input and a plain object with at least one property as the first parameter.

This is safe because the object being assigned to cannot have a __proto__ property itself and the assignment must be to a non-numeric key, so the problem is unlikely to occur. The probability of user controlled input being passed to the "properties" parameter and a null object being assigned to a numerical key of the object prototype is extremely low. These versions of Node.js do not allow user controlled input to be passed to the "properties" parameter.
In versions of Node.js prior to these versions, the object being assigned to can have a __proto__ property and the assignment can be to a non-numeric key. This causes the null object to be created and results in the issue.
The issue can be worked around by using the following code: An issue was discovered in certain configurations of Node.js. Certain inputs to the "console.table()" function can cause the creation of a null object as the result of the assignment, which can result in severe damage to the integrity of the program.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 do not allow user controlled input to be passed to the "properties" parameter.

Versions affected by CVE-2022 -21824

Node.js

Version number and root cause

Node.js v12.22.9, v14.18.3, v16.13.2, and v17.3.1 are vulnerable to this issue as the assignment could result in a null object being created on the object prototype which can cause severe damage to the integrity of the program if user input is passed to "properties". Depending on your application, you might be able to work around this issue by ensuring that user controlled inputs are not passed to "properties".
You can prevent this issue by using the following code: An issue was discovered in certain configurations of Node.js. Certain inputs to the "console.table()" function can cause the creation of a null object as the result of the assignment, which can result in severe damage to the integrity of the program if user input is passed to "properties"

Version 12.22.9

, 14.18.3, 16.13.2, 17.3.1
Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 do not allow user controlled input to be passed to the "properties" parameter so this issue is safe to use in these versions of Node..
Node 6 and Node 11 also do not allow user controlled input to be passed to the "properties" parameter so this issue is safe to use in these versions of Node as well..

Affected versions of Node.js

All versions of Node.js

Timeline

Published on: 02/24/2022 19:15:00 UTC
Last modified on: 07/30/2022 02:19:00 UTC

References

• https://hackerone.com/reports/1431042
• https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
• https://security.netapp.com/advisory/ntap-20220325-0007/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.debian.org/security/2022/dsa-5170
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://security.netapp.com/advisory/ntap-20220729-0004/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21824