CVE-2022-25645

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions dset versions prior to 3.1.2

Description The issue arises from the dset function's validation process in 'dset/merge' mode, where it checks for prototype pollution by looking for proto, constructor, or prototype in the top-level path. However, this check can be bypassed by crafting a malicious object, leading to prototype pollution.

Recommendations For versions prior to 3.1.2, update to version 3.1.2 or later to resolve the issue.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

CVE-2022-25645

GHSA-23WX-CGXQ-VPWX

SNYK-JAVA-ORGWEBJARSNPM-2431974

SNYK-JS-DSET-2330881

Affected Products

Dset

CVE-2022-25645

Weakness Enumeration

Related Identifiers

Affected Products

References · 8