CVE-2024-38985: depath and cool-path vulnerable to Prototype Pollution via `set()` Method

March 28, 2025 (updated March 31, 2025)

janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

References

gist.github.com/mestrtee/32c0a48023036e51918f6a098f21953d
github.com/advisories/GHSA-4h4x-4m75-47j4
github.com/janryWang/depath
github.com/janryWang/depath/issues/11
nvd.nist.gov/vuln/detail/CVE-2024-38985

Code Behaviors & Features

Detect and mitigate CVE-2024-38985 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →