Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWN3eDItNzM2eC1tZjZ3

High EPSS: 0.00311% (0.53704 Percentile) EPSS:
Permalink JSON

Prototype pollution in object-path

Affected Packages Affected Versions Fixed Versions
npm:object-path < 0.11.5 0.11.5
1,645 Dependent packages
950,121 Dependent repositories
9,961,372 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.1.0, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4

All unaffected versions

0.11.5, 0.11.6, 0.11.7, 0.11.8

Impact

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.

Patches

Upgrade to version >= 0.11.5

Workarounds

Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

References

Read more about the prototype pollution vulnerability

For more information

If you have any questions or comments about this advisory:

References:

Identifiers

GHSA-cwx2-736x-mf6w

CVE-2020-15256

Risk

Severity

High

EPSS

EPSS Percentage: 0.00311

EPSS Percentile: 0.53704

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/mariocasciaro/object-path

Date and time

Published

almost 5 years ago

Updated

over 1 year ago

API

JSON