CVE-2022-25862: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

May 13, 2022 (updated May 24, 2022)

This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. Note: This vulnerability derives from an incomplete fix to CVE-2020-7618

References

github.com/monsterkodi/sds/blob/master/js/set.js
nvd.nist.gov/vuln/detail/CVE-2022-25862
snyk.io/vuln/SNYK-JS-SDS-2385944

Detect and mitigate CVE-2022-25862 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →