Description

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.

Remediation

References

https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252

https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714

Related Vulnerabilities

CVE-2020-6429 Vulnerability in npm package electron

CVE-2019-10398 Vulnerability in maven package org.jenkins-ci.plugins:beaker-builder

CVE-2012-0838 Vulnerability in maven package org.apache.struts.xwork:xwork-core

CVE-2021-3810 Vulnerability in npm package code-server

CVE-2023-39156 Vulnerability in maven package org.jenkins-ci.plugins:bazaar

Severity

High

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory