Prototype Pollution in Dexie

Severity:: High

Description

Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor).

Recommendation

Update the dexie package to the latest compatible version. Followings are version details:

Affected version(s): **>= 4.0.0-alpha.1, <= 4.0.0-alpha.2 < 3.2.2**
Patched version(s): **4.0.0-alpha.3 3.2.2**

References

GHSA-3xgx-r9j4-qw9w
snyk.io
CVE-2022-21189
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

Prototype Pollution in lodash - CVE-2018-3721
Cross-site Scripting in quill - CVE-2021-3163
Prototype Pollution in async - CVE-2021-43138
Joplin Remote Code Execution - CVE-2022-40277

Tags:: npm; dexie

Anything's wrong? Let us know Last updated on February 01, 2023