Login Sign Up

CVE-2023-30363

9.8 CRITICAL

📋 TL;DR

CVE-2023-30363 is a prototype pollution vulnerability in vConsole v3.15.0 that allows attackers to modify JavaScript object prototypes, potentially leading to remote code execution or denial of service. This affects any web application using the vulnerable vConsole library for debugging. Attackers can exploit this by manipulating the setOptions function in core.ts.

💻 Affected Systems

Products:
  • Tencent vConsole
Versions: v3.15.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects vConsole v3.15.0 specifically; other versions are not vulnerable. Requires vConsole to be enabled/loaded in the web application.

📦 What is this software?

Vconsole by Tencent

View all CVEs affecting Vconsole →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment on affected web servers.

🟠

Likely Case

Denial of service, application instability, or limited data manipulation through prototype pollution.

🟢

If Mitigated

Limited impact with proper input validation and security controls, potentially causing minor application errors.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation details are publicly available in GitHub issues. The vulnerability is in client-side JavaScript, making it accessible to any user interacting with the web application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.15.1 or later

Vendor Advisory: https://github.com/Tencent/vConsole/issues/616

Restart Required: No

Instructions:

1. Update vConsole to version 3.15.1 or later. 2. Replace the vulnerable vConsole library in your project. 3. Test the application to ensure compatibility. 4. Deploy the updated version to production.

🔧 Temporary Workarounds

Disable vConsole in Production

all

Remove or disable vConsole from production environments since it's primarily a debugging tool.

Remove vConsole import/script tag from production builds

Input Validation

all

Implement strict input validation for options passed to vConsole's setOptions function.

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) to restrict script execution
  • Use web application firewall (WAF) rules to block malicious payloads targeting prototype pollution

🔍 How to Verify

Check if Vulnerable:

Check if vConsole version 3.15.0 is used in your project by examining package.json or script tags.

Check Version:

npm list vconsole or check package.json for "vconsole": "^3.15.1"

Verify Fix Applied:

Verify that vConsole is updated to version 3.15.1 or later in your project dependencies.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript errors related to object prototypes
  • Unexpected behavior in vConsole functionality

Network Indicators:

  • Suspicious payloads in HTTP requests targeting vConsole endpoints

SIEM Query:

Search for logs containing 'vConsole' and 'setOptions' with unusual parameter values

📊 Metadata

CVE ID: CVE-2023-30363
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1321
Published: April 26, 2023
Last Updated: February 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30363, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)