CVE-2021-23442 — Prototype Pollution in cookiex/deep

Description

The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the __proto__ object.

How to fix CVE-2021-23442

To remediate CVE-2021-23442, upgrade the affected package to a fixed version below.

npm/@cookiex/deep—upgrade to 0.0.7 or later

Is CVE-2021-23442 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23442
PATCHgithub.com/tony-tsx/cookiex-deep
WEBgithub.com/tony-tsx/cookiex-deep/commit/b5bea2b7f34a5fa9abb4446cbd038ecdbcd09c88
WEBgithub.com/tony-tsx/cookiex-deep/issues/1
WEB