underscore-keypath vulnerable to Prototype Pollution

Severity:: High

Description

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like __proto__.

Recommendation

No fix is available yet. Followings are affected versions:

>= 0.0.11, <= 0.9.3

References

GHSA-gpvc-mx6g-cchv
security.snyk.io
CVE-2023-26139
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203
IPX Allows Path Traversal via Prefix Matching Bypass - CVE-2025-54387

Tags:: npm; underscore-keypath

Anything's wrong? Let us know Last updated on November 29, 2023