Vulnerabilities > CVE-2022-25354 - Unspecified vulnerability in Set-In Project Set-In

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

set-in-project

critical

NVD

Published: 2022-03-17

Updated: 2024-11-21

Summary

The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)

Vulnerable Configurations

Part	Description	Count
Application	Set-In_Project SET IN Project SET IN 1.0.0 SET IN Project SET IN 1.1.0 SET IN Project SET IN 1.1.1 SET IN Project SET IN 2.0.0 SET IN Project SET IN 2.0.1 SET IN Project SET IN 2.0.2	6

References

https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5
https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5
https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24
https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24
https://snyk.io/vuln/SNYK-JS-SETIN-2388571
https://snyk.io/vuln/SNYK-JS-SETIN-2388571