CVE-2020-28276

Name of the Vulnerable Software and Affected Versions deep-set versions 1.0.0 through 1.0.1

Description The issue allows an attacker to cause a denial of service and may lead to remote code execution due to a prototype pollution vulnerability. This is because the deepSet() function does not check the type of object before assigning a value to a property, enabling an attacker to create non-existent properties or manipulate existing ones.

Recommendations For deep-set versions 1.0.0 through 1.0.1, consider disabling the deepSet() function until a patch is available to prevent potential exploitation. Restrict the use of the deepSet() function to minimize the risk of denial of service or remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.