CVE-2020-28277

Name of the Vulnerable Software and Affected Versions dset versions 1.0.0 through 2.0.1

Description The issue allows an attacker to cause a denial of service and may lead to remote code execution due to a prototype pollution vulnerability. The NPM module 'dset' can be abused since the function export() did not check for the type of object before assigning a value to the property. This flaw enables an attacker to create a non-existent property or manipulate the property, leading to denial of service or potentially remote code execution. The export function accepts three arguments obj, keys, val, and due to the absence of validation, an attacker can supply a malicious value by adjusting the keys value to include the proto property.

Recommendations For dset versions 1.0.0 through 2.0.1, consider disabling the export() function until a patch is available to prevent potential exploitation. Restrict access to the dset module to minimize the risk of exploitation. Avoid using the keys and val arguments in the affected export function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.