This affects the package com.graphhopper:graphhopper-web-bundle prior to 3.2, from 4.0-pre1 and prior to 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
graphhopper graphhopper 4.0 |
||
graphhopper graphhopper |