CVE-2017-16129 – Prototype pollution

Severity: None2025-12-19

Security Advisories

Abstract

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

The Oxygen products incorporate the superagent library as a third‑party component. This advisory was opened to address the potential impact of this third‑party library’s vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v8.0 and olderNoneOxygen Content Fusion 8.1 build 2025042315

Mitigation

None

Detail

CVE-2017-16129

Severity: High

CVSS Score: 7.1

CVE-2017-16129 is a prototype pollution vulnerability in the Async library affecting versions before 2.6.4 and 3.x before 3.2.2. An attacker may abuse the mapValues() method to inject properties (for example via __proto__) into objects created by the iterator, potentially altering application behavior or escalating privileges depending on how polluted objects are later used.

Oxygen Content Fusion is not affected. Analysis of our usage shows no exploitable path.

Starting with Oxygen Content Fusionversion 8.1 build 2025042315 the dependency was upgraded to a non-vulnerable version.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor