Vulnerabilities > CVE-2022-25645 - Unspecified vulnerability in Dset Project Dset
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
References
- https://github.com/lukeed/dset/blob/master/src/merge.js%23L9
- https://github.com/lukeed/dset/blob/master/src/merge.js%23L9
- https://github.com/lukeed/dset/pull/38
- https://github.com/lukeed/dset/pull/38
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974
- https://snyk.io/vuln/SNYK-JS-DSET-2330881
- https://snyk.io/vuln/SNYK-JS-DSET-2330881