CVE-2022-25645

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/dset

Identifiers

CVE-2022-25645

Package Slug

npm/dset

Vulnerability

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Description

All versions of package dset is vulnerable to Prototype Pollution via dset/merge mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

Affected Versions

All versions before 3.1.2

Solution

Upgrade to version 3.1.2 or above.

Last Modified

2022-05-13

source