Summary
Hardening of TypedArrays with non-canonical numeric property names in SES
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users should avoid sharing TypedArrays between co-tenant programs and instead create wrapper objects that produce a read-only view of the underlying data. We allow harden to succeed for TypedArrays because the treatment is in fact consistent with the behavior of collections like Map, but all collections shared between co-tentant programs should probably be attenuated to either read- or write-only facets and probably close over only part of the content of the collection. However, the motivation for allowing TypedArrays to be hardened in practice is to allow certain legacy modules to function under Hardened JavaScript with LavaMoat, since they export TypedArrays, even though they would ideally export read-only facets of these.
References
Are there any links users can visit to find out more?
Not at this time.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Impact
What kind of vulnerability is it? Who is impacted?
In Hardened JavaScript, programs can harden objects to safely share objects with co-tenant programs without risk of these other programs tampering with their API surface. Hardening does not guarantee that objects are pure or immutable, so a hardened Map, for example is superficially tamper-proof, but any party holding a reference to the object can both read and write its contents. Based on this precedent, and because TypedArray instances cannot be frozen with Object.isFrozen, harden does not freeze TypedArrays and instead makes them non-extensible and makes all non-indexed properties non-writable and non-configurable. This is consistent with the treatment of Map because the indexed properties represent mutable content and non-indexed properties represent the API.
Due to a defect in harden, properties that have names that parse as numbers but are not the same as the canonical representation of those numbers, as in "+0" and "" which are both equivalent to their canonical number "0", remain writable after hardening.
Any program treating one of these properties as part of its API and relying on harden to prevent modifications would be vulnerable to an API pollution attack, affecting only instances shared by mutually suspicious parties.
Unlike a Map, a hardened TypedArray can only have numbers for content. Any program that is sharing hardened TypedArrays between co-tentant programs and relying on harden to only allow these programs to communicate exclusively by changing numbers within the bounds of the TypedArray, may inadvertently have arranged for a mechanism for a pair of third-parties to communicate arbitrary objects on these other properties.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Has the problem been patched? What versions should users upgrade to?
SES version 0.16.0 patches this issue, causing harden to recognize properties with non-canonical numeric representations and ensuring that these properties are non-configurable.
Frequently Asked Questions
- What is GHSA-WHPX-Q3RQ-W8JC? GHSA-WHPX-Q3RQ-W8JC is a low-severity security vulnerability in ses (npm), affecting versions < 0.16.0. It is fixed in 0.16.0.
- Which versions of ses are affected by GHSA-WHPX-Q3RQ-W8JC? ses (npm) versions < 0.16.0 is affected.
- Is there a fix for GHSA-WHPX-Q3RQ-W8JC? Yes. GHSA-WHPX-Q3RQ-W8JC is fixed in 0.16.0. Upgrade to this version or later.
- Is GHSA-WHPX-Q3RQ-W8JC exploitable, and should I be worried? Whether GHSA-WHPX-Q3RQ-W8JC is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-WHPX-Q3RQ-W8JC is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-WHPX-Q3RQ-W8JC? Upgrade
sesto 0.16.0 or later.