Vulnerabilities > CVE-2022-25354 - Unspecified vulnerability in Set-In Project Set-In

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

set-in-project

NVD

Published: 2022-03-17

Updated: 2022-03-24

Summary

The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)

Vulnerable Configurations

Part	Description	Count
Application	Set-In_Project SET IN Project SET IN 1.0.0 SET IN Project SET IN 1.1.0 SET IN Project SET IN 1.1.1 SET IN Project SET IN 2.0.0 SET IN Project SET IN 2.0.1 SET IN Project SET IN 2.0.2	6

References

https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5
https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24
https://snyk.io/vuln/SNYK-JS-SETIN-2388571