Description

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.

Remediation

References

https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714

https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252

Related Vulnerabilities

CVE-2022-26112 Vulnerability in maven package org.apache.pinot:pinot-controller

CVE-2020-7733 Vulnerability in maven package org.webjars.bowergithub.faisalman:ua-parser-js

CVE-2017-2609 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2015-8854 Vulnerability in npm package marked

CVE-2023-49293 Vulnerability in npm package vite

Severity

High

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory