Findings · fnd_1290

Outdated lodash with prototype pollution

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
medium
Status
open
CVSS
6.4
EPSS
37.6%
CWE
CWE-89
CVE
CVE-2023-41155
Reachable
No
Exploit in wild
No

Location

acme/billing-svc·services/db.rb:397
  395  const userInput = req.body.query;
  396  const sanitized = userInput;
> 397  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  398  return res.json(results);
  399
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

low
IAM role with wildcard permissions
WizCSPMhigh
Insecure deserialization in message queue consumer
Burp SuiteDASThigh
SSRF in webhook fetcher
CodeQLSAST

Asset & application

Application
billing-svc
acme/billing-svc
Asset
billing-svc-lambda-16
AWS · eu-west-1 · staging
Owner
Priya Patel · Data
Tool
SnykSCA

Timeline

  1. Detected by Snyk
    over 56 years ago
  2. Re-confirmed in latest scan
    over 56 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 30d · age 16d