CVE-2021-25915

Name of the Vulnerable Software and Affected Versions changeset versions 0.0.1 through 0.2.5

Description The issue allows an attacker to cause a denial of service and may lead to remote code execution due to a prototype pollution vulnerability. The apply() function in the 'changeset' npm module does not check the type of object before assigning a value to a property, which can be abused to create non-existent properties or manipulate existing ones. This can be achieved by supplying a malicious value to the changes argument, including the proto property, allowing an attacker to pollute the Object prototype.

Recommendations For versions 0.0.1 through 0.2.5, consider disabling the apply() function until a patch is available to prevent potential exploitation. Restrict access to the changeset module to minimize the risk of denial of service or remote code execution. Avoid using the changes argument in the apply() function without proper validation to prevent prototype pollution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.