Vulnerability	Vulnerable Version
H Prototype Pollution tree-kit is a Tree utilities which provides a full-featured extend and object-cloning facility, and various tools to deal with nested object structures. Affected versions of this package are vulnerable to Prototype Pollution via the `extend` function. An attacker-controlled object, e.g. data in JSON format received over the network and parsed by the application using tree-kit's `extend` function, can be used to pollute the prototype of the `Object.prototype` by adding and overwriting its data and functions. How to fix Prototype Pollution? Upgrade `tree-kit` to version 0.7.5 or higher.	<0.7.5
H Prototype Pollution tree-kit is a Tree utilities which provides a full-featured extend and object-cloning facility, and various tools to deal with nested object structures. Affected versions of this package are vulnerable to Prototype Pollution via `dotPath.set`. PoC: `const { dotPath } = require('tree-kit') console.log("Before: ", {}.polluted) dotPath.set({}, '__proto__.polluted', true) console.log("After: ", {}.polluted)` How to fix Prototype Pollution? Upgrade `tree-kit` to version 0.7.0 or higher.	<0.7.0

Prototype Pollution

tree-kit is a Tree utilities which provides a full-featured extend and object-cloning facility, and various tools to deal with nested object structures.

Affected versions of this package are vulnerable to Prototype Pollution via the extend function. An attacker-controlled object, e.g. data in JSON format received over the network and parsed by the application using tree-kit's extend function, can be used to pollute the prototype of the Object.prototype by adding and overwriting its data and functions.

How to fix Prototype Pollution?

Upgrade tree-kit to version 0.7.5 or higher.

<0.7.5

Prototype Pollution

tree-kit is a Tree utilities which provides a full-featured extend and object-cloning facility, and various tools to deal with nested object structures.

Affected versions of this package are vulnerable to Prototype Pollution via dotPath.set.

PoC:

const { dotPath } = require('tree-kit')

console.log("Before: ", {}.polluted)
dotPath.set({}, '__proto__.polluted', true)
console.log("After: ", {}.polluted)

How to fix Prototype Pollution?

Upgrade tree-kit to version 0.7.0 or higher.

<0.7.0

Go back to all versions of this package