By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2022-37602

Prototype Pollution
Affects
Grunt Karma
in
AngularJS
No items found.
Versions
>=0.10.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Grunt-karma is a Grunt plugin that integrates the Karma test runner into Grunt build processes, allowing JavaScript unit tests to run as part of automated tasks.

A Prototype Pollution vulnerability (CVE-2022-37602) has been identified in grunt-karma, which allows a malicious actor to modify an object's prototype, potentially leading to unexpected behavior or security issues.

Per OWASP: Prototype Pollution is a critical vulnerability that can allow attackers to manipulate an application's JavaScript objects and properties, leading to serious security issues such as unauthorized access to data, privilege escalation, and even remote code execution.

This affects all versions of grunt-karma greater than or equal to 0.10.0.

Details

Module Info

Vulnerability Info

This Critical-severity vulnerability is found in all grunt-karma packages greater than or equal to 0.10.0.

grunt-karma allows users to specify preprocessors in a gruntfile.js. Preprocessors allow you to do some work with your files before they get served to the browser.

The grunt-karma task reads the preprocessor configuration object listed in your gruntfile.js, creates an object with the literal notation, and assigns values to the preprocessors object without sanitizing the keys:

var preprocessors = {}
// ...
  preprocessors[key] = value

This theoretically allows overriding the object's special __proto__ property, potentially changing its behavior and causing unexpected failures or bypassing checks.

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications away from Grunt Karma.
  • Leverage a commercial support partner like HeroDevs for security support.

Credits

  • secdevlpr26 (finder)
Pink arrow
Pink arrow
CVE-2019-10768
CVE-2020-7676
CVE-2022-25844
CVE-2022-25869
CVE-2023-26116
CVE-2023-26117
CVE-2023-26118
CVE-2024-21490
CVE-2024-33665
CVE-2024-8373
CVE-2024-8372
CVE-2025-0716
CVE-2025-2336
CVE-2025-4690
CVE-2022-37602
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2022-37602
PROJECT Affected
Grunt Karma
Versions Affected
>=0.10.0
Published date
October 29, 2025
≈ Fix date
October 22, 2025
Fixed in
NES for AngularJS
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
Category
Prototype Pollution
Sign up for the latest vulnerability alerts fixed in
NES for AngularJS
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.