CVE-2023-26132: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

June 10, 2023 (updated November 7, 2023)

Versions of the package dottie before 2.0.4 is vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.

References

github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107
github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68
nvd.nist.gov/vuln/detail/CVE-2023-26132
security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763

Detect and mitigate CVE-2023-26132 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →