Description
Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like __proto__.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 0.0.11, <= 0.9.3
References
Related Issues
- Collection.js vulnerable to Prototype Pollution - CVE-2023-26113
- mockjs vulnerable to Prototype Pollution via the Util.extend function - CVE-2023-26158
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - CVE-2023-26920
- Tags:
- npm
- underscore-keypath
Anything's wrong? Let us know Last updated on November 29, 2023