set-or-get@1.2.0 vulnerabilities

Sets or gets an object field value.

Direct Vulnerabilities

Known vulnerabilities in the set-or-get package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Prototype Pollution

set-or-get is a Sets or gets an object field value.

Affected versions of this package are vulnerable to Prototype Pollution. There is an absence of validation in the field and def arguments. This allows an attacker to supply a malicious value by adjusting the field value to include the __proto__ property. Since there is no validation before assigning property to check whether the assigned field is the Object's own property or not, the property isAdmin will be directly assigned to the empty obj ({}), and by that polluting the Object prototype. If there is a check to validate isAdmin, the value would be substituted as true as it had been polluted.

How to fix Prototype Pollution?

Upgrade set-or-get to version 1.2.11 or higher.

>=1.0.0 <1.2.11