Description
querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.
Remediation
References
https://github.com/diegohaz/querymen/commit/1987fefcb3b7508253a29502a008d5063a873cef
https://snyk.io/vuln/SNYK-JS-QUERYMEN-559867
Related Vulnerabilities
CVE-2022-3423 Vulnerability in npm package nocodb
CVE-2020-15256 Vulnerability in maven package org.webjars.npm:object-path
CVE-2022-2596 Vulnerability in maven package org.webjars.npm:node-fetch
CVE-2023-45133 Vulnerability in npm package @babel/traverse
CVE-2020-7709 Vulnerability in maven package org.webjars.npm:json-pointer