PT-2022-20532 · Unknown · Underscore.Deep
Published
2022-06-28
·
Updated
2022-07-08
·
CVE-2022-31106
CVSS v3.1
8.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
underscore.deep versions prior to 0.5.3
Description
The issue affects a collection of Underscore mixins that operate on nested objects, allowing an attacker to craft a malicious payload and pass it to
deepFromFlat, which would pollute any future Objects created. Users with deepFromFlat or deepPick in their code are at risk due to the dependency of deepPick on deepFromFlat.Recommendations
For versions prior to 0.5.3, upgrade to version 0.5.3 as soon as possible.
For users unable to upgrade, modify
deepFromFlat to prevent specific keywords as a mitigation measure.Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Underscore.Deep