Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Style Dictionary - Prototype Pollution in convertTokenData utility function
Vulnerability Description
Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of `convertTokenData(tokens, { output: 'object' });`; indirect usage, via using Expand API; and/or indirect usage via SD's transform lifecycle. Impact is high for this when style-dictionary is used as an integration in a NodeJS server application. Impact is moderate for when style-dictionary is used as an integration in a Web application. Impact is low for most common cases where the user of style-dictionary also maintains the tokens, and access is limited via read/write access to the repository/workflows where it is used. A patch has been published in version `5.4.4`. The only known workaround is to sanitize token data first. Whether using DTCG format or old Style Dictionary format, check the token data object recursively for any object keys that include `__proto__`.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
CWE-1321
Vulnerability Title
Style Dictionary 输入验证错误漏洞
Vulnerability Description
Style Dictionary Style Dictionary是Style Dictionary团队开源的一个基于设计令牌(Design Tokens)的跨平台样式构建系统,让你只需定义一次样式,就能自动导出为 iOS、Android、CSS、JS 等多种平台所需的格式。 Style Dictionary 4.3.0版本至5.4.4之前版本存在输入验证错误漏洞,该漏洞源于原型污染,可能导致攻击者利用convertTokenData或Expand API进行攻击。
CVSS Information
N/A
Vulnerability Type
N/A