CVE-2023-26139: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

August 1, 2023 (updated November 7, 2023)

Versions of the package underscore-keypath from 0.0.11 is vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “proto”.

References

gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252
nvd.nist.gov/vuln/detail/CVE-2023-26139
security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714

Detect and mitigate CVE-2023-26139 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →