Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/node-ini@3.0.1-2?distro=trixie
purl pkg:deb/debian/node-ini@3.0.1-2?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-7tyw-ppyt-zqgr ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse ### Overview The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context. ### Patches This has been patched in 1.3.6. ### Steps to reproduce payload.ini ``` [__proto__] polluted = "polluted" ``` poc.js: ``` var fs = require('fs') var ini = require('ini') var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8')) console.log(parsed) console.log(parsed.__proto__) console.log(polluted) ``` ``` > node poc.js {} { polluted: 'polluted' } { polluted: 'polluted' } polluted ``` CVE-2020-7788
GHSA-qqgx-2p2h-9c37

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-02T04:15:20.724729+00:00 Debian Importer Fixing VCID-7tyw-ppyt-zqgr https://security-tracker.debian.org/tracker/data/json 38.6.0
2026-04-16T11:29:40.839996+00:00 Debian Importer Fixing VCID-7tyw-ppyt-zqgr https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T07:50:01.175378+00:00 Debian Importer Fixing VCID-7tyw-ppyt-zqgr https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:47:09.555921+00:00 Debian Importer Fixing VCID-7tyw-ppyt-zqgr https://security-tracker.debian.org/tracker/data/json 38.1.0