Impact
The set method is vulnerable to prototype pollution with specially crafted inputs.
// insert the following into poc.js and run node poc,js (after installing the package)
let parser = require("min-dash");
parser.set({}, [["__proto__"], "polluted"], "success");
console.log(polluted);Patches
min-dash>=3.8.1 fix the issue.
Workarounds
No workarounds exist for the issue.
References
Closed via #21.
Credits
Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team who reported the vulnerability to us, responsibly.
cristianstaicu Analyst
Impact
The
setmethod is vulnerable to prototype pollution with specially crafted inputs.Patches
min-dash>=3.8.1fix the issue.Workarounds
No workarounds exist for the issue.
References
Closed via #21.
Credits
Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team who reported the vulnerability to us, responsibly.