PT-2022-17233 · Set-In · Set-In
Cristian-Alexandru Staicu
+2
·
Published
2022-03-17
·
Updated
2026-03-16
·
CVE-2022-25354
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
set-in versions prior to 2.0.3
Description
The issue allows an attacker to perform Prototype Pollution via the
setIn method, enabling them to merge object prototypes into it. This problem stems from an incomplete fix of a previous issue.Recommendations
For versions prior to 2.0.3, update to version 2.0.3 or later to resolve the issue. As a temporary workaround, consider disabling the
setIn method until a patch is available. Restrict access to the setIn method to minimize the risk of exploitation.Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Set-In