Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNnY0LWNmNWotdmYzd84AA_c_
dset Prototype Pollution vulnerability
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.
Permalink: https://github.com/advisories/GHSA-f6v4-cf5j-vf3wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNnY0LWNmNWotdmYzd84AA_c_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Identifiers: GHSA-f6v4-cf5j-vf3w, CVE-2024-21529
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21529
- https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa
- https://security.snyk.io/vuln/SNYK-JS-DSET-7116691
- https://github.com/advisories/GHSA-f6v4-cf5j-vf3w
Blast Radius: 35.6
Affected Packages
npm:dset
Dependent packages: 150Dependent repositories: 21,685
Downloads: 19,037,588 last month
Affected Version Ranges: < 3.1.4
Fixed in: 3.1.4
All affected versions: 0.0.0, 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.1.0, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3
All unaffected versions: 3.1.4