CVE-2022-21189

Name of the Vulnerable Software and Affected Versions Dexie versions prior to 3.2.2 Dexie versions 4.0.0-alpha.1 through 4.0.0-alpha.3

Description The issue arises from the Dexie.setByKeyPath(obj, keyPath, value) function not properly checking the keys being set, such as proto or constructor. This allows an attacker to add or modify properties of the Object.prototype, leading to a prototype pollution vulnerability. The vulnerability can occur in multiple ways, for example, when modifying a collection with untrusted user input.

Recommendations For Dexie versions prior to 3.2.2, update to version 3.2.2 or later. For Dexie versions 4.0.0-alpha.1 through 4.0.0-alpha.3, update to version 4.0.0-alpha.3 or later. As a temporary workaround, consider restricting the use of the Dexie.setByKeyPath() function until a patch is available. Avoid using untrusted user input when modifying collections to minimize the risk of exploitation.