You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv2:
Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv2:
Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers
pkg:npm/dset@3.1.3 (Confidence:Highest)
cpe:2.3:a:dset_project:dset:3.1.3:::::::* (Confidence:Highest)
Published Vulnerabilities
CVE-2022-25645
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv2:
Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
MISC - https://github.com/lukeed/dset/blob/master/src/merge.js%23L9
MISC - #38
MISC - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974
MISC - https://snyk.io/vuln/SNYK-JS-DSET-2330881
Vulnerable Software & Versions:
cpe:2.3:a:dset_project:dset::::::node.js::*
Identifiers
pkg:npm/dset@3.1.3 (Confidence:Highest)
cpe:2.3:a:dset_project:dset:3.1.3:::::::* (Confidence:Highest)
Published Vulnerabilities
CVE-2022-25645
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVSSv2:
Base Score: MEDIUM (6.8)
Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3:
Base Score: HIGH (8.1)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
MISC - https://github.com/lukeed/dset/blob/master/src/merge.js%23L9
MISC - #38
MISC - https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974
MISC - https://snyk.io/vuln/SNYK-JS-DSET-2330881
Vulnerable Software & Versions:
cpe:2.3:a:dset_project:dset::::::node.js::*
The text was updated successfully, but these errors were encountered: