CVE-2020-7766: Injection Vulnerability

November 10, 2020 (updated July 21, 2021)

This affects all versions of package json-ptr. The issue occurs in the set operation https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#set when the force flag is set to true. The function recursively sets the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.

References

nvd.nist.gov/vuln/detail/CVE-2020-7766

Detect and mitigate CVE-2020-7766 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →