Enquirer
Monthly
Prototype pollution in the enquirer npm package (versions up to 2.4.1) allows remote authenticated attackers to manipulate JavaScript Object.prototype attributes by injecting a crafted value into the question.name argument of the Enquirer.set() function. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting limited integrity-only impact scoped to the vulnerable system with no confidentiality or availability consequence. Publicly available exploit code exists via GitHub issue #487, though no active exploitation has been confirmed in CISA KEV.
Prototype pollution in the enquirer npm package (versions up to 2.4.1) allows remote authenticated attackers to manipulate JavaScript Object.prototype attributes by injecting a crafted value into the question.name argument of the Enquirer.set() function. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting limited integrity-only impact scoped to the vulnerable system with no confidentiality or availability consequence. Publicly available exploit code exists via GitHub issue #487, though no active exploitation has been confirmed in CISA KEV.