Findings · fnd_2139

Outdated lodash with prototype pollution

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
high
Status
open
CVSS
4.6
EPSS
17.3%
CWE
CWE-89
CVE
Reachable
Yes
Exploit in wild
No

Location

acme/analytics-pipeline·src/api/db.rb:41
  39  const userInput = req.body.query;
  40  const sanitized = userInput;
> 41  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  42  return res.json(results);
  43
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

low
Terraform module pins old AMI with CVEs
Burp Pro PenTestPenTestcritical
Insecure deserialization in message queue consumer
GrypeContainerhigh
Outdated lodash with prototype pollution
SonarQubeSAST

Asset & application

Application
analytics-pipeline
acme/analytics-pipeline
Asset
analytics-pipeline-service-10
GCP · eu-west-1 · qa
Owner
Marcus Wei · ML
Tool
DependabotSCA

Timeline

  1. Detected by Dependabot
    almost 57 years ago
  2. Re-confirmed in latest scan
    over 56 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 14d · age 145d