Description
Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like __proto__.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 0.0.11, <= 0.9.3
References
Related Issues
- rangy vulnerable to Prototype Pollution - CVE-2023-26102
- mockjs vulnerable to Prototype Pollution via the Util.extend function - CVE-2023-26158
- fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - CVE-2023-26920
- Collection.js vulnerable to Prototype Pollution - CVE-2023-26113
- Tags:
- npm
- underscore-keypath
Anything's wrong? Let us know Last updated on November 29, 2023