P.Adithya Srinivas

**Name of the Vulnerable Software and Affected Versions** deep-get-set versions prior to the version with a complete fix for the issue **Description** The issue is related to Prototype Pollution via the `deep` function in the deep-get-set package. This problem arises from an incomplete fix of a previous issue. **Recommendations** For all versions of deep-get-set, consider disabling the `deep` function as a temporary workaround until a complete fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** mout (affected versions not specified) **Description** The issue concerns the `deepFillIn` function and the `deepMixIn` function, which can be exploited due to a lack of key checks when accessing the target object recursively. This allows for the exploitation of the vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sds versions 0.0.0 and later **Description** The issue allows the library to be tricked into adding or modifying properties of the Object.prototype. This is achieved by abusing the `set` function located in `js/set.js`. **Recommendations** For sds version 0.0.0, consider restricting access to the `set` function in `js/set.js` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** convict versions prior to 6.2.2 **Description** The issue allows for Prototype Pollution via the convict function due to missing validation of `parentKey`. This could enable an attacker to inject attributes used in other components or override existing attributes with incompatible types, potentially leading to a crash. The main use case of Convict is for handling server-side configurations, and while it's unlikely an admin would sabotage their own server, an uninformed admin could be tricked into writing malicious JavaScript code into config files. **Recommendations** For convict versions prior to 6.2.2, upgrade to convict@6.2.3 to resolve the issue. As a temporary workaround, consider restricting access to configuration files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** madlib-object-utils versions prior to 0.1.8 **Description** The issue allows an attacker to perform Prototype Pollution via the `setValue` method, enabling them to merge object prototypes into it. This vulnerability is a result of an incomplete fix. **Recommendations** For versions prior to 0.1.8, update to version 0.1.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `setValue` method until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** libnested versions prior to 1.5.2 **Description** The issue is related to Prototype Pollution via the `set` function in `index.js`. **Recommendations** For versions prior to 1.5.2, update to version 1.5.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** set-in versions prior to 2.0.3 **Description** The issue allows an attacker to perform Prototype Pollution via the `setIn` method, enabling them to merge object prototypes into it. This problem stems from an incomplete fix of a previous issue. **Recommendations** For versions prior to 2.0.3, update to version 2.0.3 or later to resolve the issue. As a temporary workaround, consider disabling the `setIn` method until a patch is available. Restrict access to the `setIn` method to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** bodymen versions 0.0.0 and later **Description** The issue allows for Prototype Pollution via the `handler` function, which can be tricked into adding or modifying properties of `Object.prototype` using a ` proto ` payload. **Recommendations** For bodymen versions 0.0.0 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** object-path-set versions prior to 1.0.2 **Description** The issue allows an attacker to merge object prototypes into it via the setPath method, enabling Prototype Pollution. This vulnerability is a result of an incomplete fix. **Recommendations** For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the setPath method until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** @strikeentco/set versions prior to 1.0.2 **Description** This issue allows an attacker to cause a denial of service and may lead to remote code execution. It derives from an incomplete fix. **Recommendations** For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `@strikeentco/set` package until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** keyget versions 0.0.0 and later **Description** The issue allows an attacker to cause a denial of service and may lead to remote code execution via Prototype Pollution. This is possible through the methods `set`, `push`, and `at`. **Recommendations** For keyget versions 0.0.0 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bmoor versions prior to 0.10.1 **Description** The issue is related to Prototype Pollution due to missing sanitization in the `set` function. This problem arises from an incomplete fix. **Recommendations** For versions prior to 0.10.1, update to version 0.10.1 or later to resolve the issue. As a temporary workaround, consider disabling the `set` function until a patch is available. Restrict access to the `set` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** min-dash versions prior to 3.8.1 **Description** The issue concerns Prototype Pollution via the `set` method due to missing enforcement of key types. **Recommendations** For versions prior to 3.8.1, update to version 3.8.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** cached-path-relative versions prior to 1.1.0 **Description** The issue allows for Prototype Pollution via the `cache` variable set as `{}` instead of `Object.create(null)` in the `cachedPathRelative` function. This enables access to parent prototype properties when the object is used to create the cached relative path. Specifically, when the origin path is set as ` proto `, the attribute of the object is accessed instead of a path. **Recommendations** For versions prior to 1.1.0, update to version 1.1.0 or later to resolve the issue. As a temporary workaround, consider modifying the `cachedPathRelative` function to use `Object.create(null)` instead of `{}` for the `cache` variable to prevent Prototype Pollution.