Prototype Pollution in Dexie

Description

Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor).

Recommendation

Update the dexie package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 4.0.0-alpha.1, <= 4.0.0-alpha.2

  < 3.2.2**

• Patched version(s): **4.0.0-alpha.3

  3.2.2**

References

• GHSA-3xgx-r9j4-qw9w
• snyk.io
• CVE-2022-21189
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Prototype Pollution in protobufjs - CVE-2022-25878
• Prototype Pollution in JSON5 via Parse Method - CVE-2022-46175
• Grunt-karma vulnerable to prototype pollution - CVE-2022-37602
• thlorenz browserify-shim vulnerable to prototype pollution - browserify-shim - GHSA-cfgr-75jx-h88g - CVE-2022-37623

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

dexie