Prototype pollution in set-in

set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.

N/A

CWE-1321

set-in 安全漏洞

set-in是Mikey个人开发者的一个JavaScript库。 set-in 2.0.1至2.0.5之前版本存在安全漏洞，该漏洞源于对用户输入检查不足，可能导致通过特制输入污染Object.prototype的原型污染攻击。

N/A

N/A