GHSA-593m-55hh-j8gv¶
WSO2 Products impacted: No (transitive dependency)
Customer actions required: No
REPORTED VULNERABILITY¶
A vulnerability has been identified in @sentry/browser where versions prior to 7.119.1 may act as a prototype pollution gadget. This means that while the package itself is not directly exploitable, it could be abused by an attacker if another prototype pollution vulnerability exists in the application.
Affected component: @sentry/browser
Installed version: 6.19.7
Required version: 7.119.1
REPORTED PRODUCTS¶
- WSO2 API Manager 4.2.0 and later
WSO2 JUSTIFICATION¶
The affected dependency @sentry/[email protected] is included in the Developer Portal application as a transitive dependency, introduced via Stoplight Elements.
- The package does not introduce a direct security vulnerability on its own.
- It may only pose a risk if a prototype pollution vulnerability exists elsewhere in the application.
- WSO2 APIM does not expose such vulnerabilities in its context, so the dependency does not present an exploitable threat.
Nevertheless, keeping dependencies updated is important for long-term security, performance, and compatibility. WSO2 will address this by upgrading @sentry/browser to 7.119.1 in a future update. Additionally, @sentry/react will be upgraded to a compatible 7.x version to maintain alignment.
CUSTOMER ACTIONS REQUIRED¶
- No immediate manual action is required from customers.
- This issue will be resolved in an upcoming update release.