CVE-2021-21304

Name of the Vulnerable Software and Affected Versions: Dynamoose versions 2.0.0 through 2.6.0

Description: Dynamoose is an open-source modeling tool for Amazon's DynamoDB. A prototype pollution vulnerability was found in the internal utility method lib/utils/object/set.ts, which is used throughout the codebase for various operations. There is no evidence that this vulnerability has been exploited. The issue does not impact versions 1.x.x, as the vulnerable method was added in the v2 rewrite. It also affects v2.x.x beta/alpha versions.

Recommendations: For Dynamoose versions 2.0.0 through 2.6.0, update to version 2.7.0 or greater to patch the vulnerability. As a temporary workaround, consider restricting the use of the lib/utils/object/set.ts method until a patch is applied.