Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HDebian
OSDebian10.011.0Netapp Oncommand Insight
APPNetappwszystkie wersjeNetapp Oncommand Workflow Automation
APPNetappwszystkie wersjeNetapp Snapcenter
APPNetappwszystkie wersjeNode.js
APPNodejs12.0.0 – 12.22.9 (bez)14.0.0 – 14.18.3 (bez)16.0.0 – 16.13.2 (bez)17.0.0 – 17.3.1 (bez)Oracle MySQL Cluster
APPOracle≤ 8.0.29Oracle MySQL Connectors
APPOracle≤ 8.0.28Oracle MySQL Enterprise Monitor
APPOracle≤ 8.0.29Oracle MySQL Server
APPOracle≤ 8.0.29Oracle MySQL Workbench
APPOracle≤ 8.0.28Oracle Peoplesoft Enterprise Peopletools
APPOracle8.588.59
Related vulnerabilities
Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)