Security Fix for Prototype Pollution

[ready-research]

Fix prototype pollution when path components are not strings
Reported in https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/

Can you please validate this huntr report?

[jonschlinkert]

Great catch. thank you! we'll issue a patch ASAP. sorry this escaped my radar, ideally I'd be spending all of my time on open source but I can't yet.

[benjifin]

Hey @jonschlinkert and @ready-research note that we at Snyk have already disclosed this vulnerability and assigned it CVE-2021-23435.

This vulnerability was originally disclosed as part of our team's research into type confusion vulnerabilities which is why we have gone ahead and assigned it the CVE we reserved for it - despite this we have been happy to credit ready-research as well as our team member's as part of it's discovery in our advisory: https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541 and link to all relevant info including the huntr advisory in the CVE issued.

[JamieSlome]

@benjifin - we have stopped the CVE assignment process and have now referenced the existing CVE against our report.

Cheers! 🎉

[ready-research]

@jonschlinkert Can you please confirm the fix in huntr. So that we can disclose this report publicly. Thank you.

[jonschlinkert]

No, I will not confirm this in your application. You will be banned from every project I have if you spam that request one more time. You’ve already crossed the spam threshold and are bordering on hostility. Stop.

…

Sent from my iPhone

On Sep 13, 2021, at 1:06 PM, ready-research ***@***.***> wrote:  @jonschlinkert Can you please confirm the fix in huntr. So that we can disclose this report publicly. Thank you. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[ready-research]

Sorry for the inconvenience caused to you.
It is the application policy to disclose publicly only when it is confirmed with fix by the maintainer. That is the reason I reminded you multiple times. I will not remind it again and really sorry for bothering you again.

[afdev82]

Would you mind to backport the patch?
I could provide a PR if you are willing to bump a v2.0.2 with it.
Many packages, dependencies of @rails/webpacker / webpack are using the v2.0.1.
Thank you for your support!

[1dsb]

Can I add my support for a backport to version 2 as well. Angular 10 (still in support) uses the version of webpack that in turn uses set-value V2.
Thanks.

[joeyJsonar]

Any updates on the backport? The reason I can't just jump to 4.0.1 from 3.0.1 is that I need to upgrade 1 major version on node, from 10 to 11, which is very risky atm.