You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A security guy told me about indy-node vulnerabilities. It's about jsonpickle security issue. And it is classified as critical. GHSA-j66q-qmrc-89rx
However the jsonpickle team defended that it is intended. And they suggested that to be sure to be safe, user of this library should set safe=True in calling jsonpickle.decode() jsonpickle/jsonpickle#335
It appears that in indy-plenum, jsonpickle.decode() is called without safe parameter. Wouldn't it be better to add it?
The text was updated successfully, but these errors were encountered:
A security guy told me about
indy-node
vulnerabilities. It's aboutjsonpickle
security issue. And it is classified as critical. GHSA-j66q-qmrc-89rxHowever the
jsonpickle
team defended that it is intended. And they suggested that to be sure to be safe, user of this library should setsafe=True
in callingjsonpickle.decode()
jsonpickle/jsonpickle#335
It appears that in
indy-plenum
,jsonpickle.decode()
is called withoutsafe
parameter. Wouldn't it be better to add it?The text was updated successfully, but these errors were encountered: