CVE-2022-25645

MEDIUM6.5EPSS 0.70%

Prototype Pollution in dset

Published: 5/3/2022Modified: 11/8/2023

Description

All versions of `dset` prior to 3.1.2 are vulnerable to Prototype Pollution via `dset/merge` mode, as the `dset` function checks for prototype pollution by validating if the top-level path contains `__proto__`, `constructor` or `prototype`. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

Affected packages (2)

Maven/org.webjars.npm:dsetfrom 0, < 3.1.2
npm/dsetfrom 0, < 3.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25645
PATCHhttps://github.com/lukeed/dset
WEBhttps://github.com/lukeed/dset/blob/master/src/merge.js%23L9
WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974
WEBhttps://snyk.io/vuln/SNYK-JS-DSET-2330881