Description
Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor).
Recommendation
Update the dexie package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.0.0-alpha.1, <= 4.0.0-alpha.2 < 3.2.2** Patched version(s): **4.0.0-alpha.3 3.2.2**
References
Related Issues
- Grunt-karma vulnerable to prototype pollution - CVE-2022-37602
- Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
- Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879
- Remote code execution via MongoDB BSON parser through prototype pollution - CVE-2022-39396
You might also like:
- Tags:
- npm
- dexie
Anything's wrong? Let us know Last updated on February 01, 2023


