Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.
All versions of package dset is vulnerable to Prototype Pollution via dset/merge mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
Prototype pollution vulnerability in dset allows attacker to cause a denial of service and may lead to remote code execution.