set-or-get@1.2.8 vulnerabilities

Sets or gets an object field value.

  • latest version

    1.2.11

  • latest non vulnerable version

  • first published

    9 years ago

  • latest version published

    3 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the set-or-get package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Prototype Pollution

    set-or-get is a Sets or gets an object field value.

    Affected versions of this package are vulnerable to Prototype Pollution. There is an absence of validation in the field and def arguments. This allows an attacker to supply a malicious value by adjusting the field value to include the __proto__ property. Since there is no validation before assigning property to check whether the assigned field is the Object's own property or not, the property isAdmin will be directly assigned to the empty obj ({}), and by that polluting the Object prototype. If there is a check to validate isAdmin, the value would be substituted as true as it had been polluted.

    How to fix Prototype Pollution?

    Upgrade set-or-get to version 1.2.11 or higher.

    >=1.0.0 <1.2.11