Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
Remediation
References
https://hackerone.com/reports/390929
Related Vulnerabilities
CVE-2020-5397 Vulnerability in maven package org.springframework:spring-webflux
CVE-2021-41248 Vulnerability in npm package graphiql
CVE-2020-26296 Vulnerability in maven package org.webjars.bower:vega
CVE-2022-24999 Vulnerability in npm package qs
CVE-2022-45383 Vulnerability in maven package org.jenkins-ci.plugins:support-core