GHSA-2c4m-g7rx-63q7: set-in Affected by Prototype Pollution
A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
References
- github.com/advisories/GHSA-2c4m-g7rx-63q7
- github.com/ahdinosaur/set-in
- github.com/ahdinosaur/set-in/commit/34842cc02de3fd65d6f8bd0b268347e7b390125b
- github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24
- github.com/ahdinosaur/set-in/commit/d87c1a09fa2edb55cd76440a67d83d1cb828df11
- github.com/ahdinosaur/set-in/pull/6
- github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7
Code Behaviors & Features
Detect and mitigate GHSA-2c4m-g7rx-63q7 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →