CVE-2022-25645

MEDIUM6.5EPSS 0.70%

Prototype Pollution in dset

發布日:2022/5/3修改日:2023/11/8

描述

All versions of `dset` prior to 3.1.2 are vulnerable to Prototype Pollution via `dset/merge` mode, as the `dset` function checks for prototype pollution by validating if the top-level path contains `__proto__`, `constructor` or `prototype`. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

受影響套件(2)

Maven/org.webjars.npm:dsetfrom 0, < 3.1.2
npm/dsetfrom 0, < 3.1.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25645
PATCHhttps://github.com/lukeed/dset
WEBhttps://github.com/lukeed/dset/blob/master/src/merge.js%23L9
WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974
WEBhttps://snyk.io/vuln/SNYK-JS-DSET-2330881