underscore-keypath vulnerable to Prototype Pollution

Severity:: High

Description

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like __proto__.

Recommendation

No fix is available yet. Followings are affected versions:

>= 0.0.11, <= 0.9.3

References

GHSA-gpvc-mx6g-cchv
security.snyk.io
CVE-2023-26139
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

rollbar vulnerable to Prototype Pollution in merge() - CVE-2025-62517
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 4 - CVE-2020-8203
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203

Tags:: npm; underscore-keypath

Anything's wrong? Let us know Last updated on November 29, 2023