CVE-2022-25645
npm/dset
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
All versions of package dset is vulnerable to Prototype Pollution via dset/merge
mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__
, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
All versions before 3.1.2
Upgrade to version 3.1.2 or above.
2022-05-13
source |