PT-2023-20517 · Unknown · Underscore-Keypath

Peng Zhou

Published

2023-08-01

Updated

2023-08-04

CVE-2023-26139

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions underscore-keypath versions 0.0.11 and later

Description The issue arises from improper input sanitization in the setProperty() function, allowing the usage of arguments like proto and leading to Prototype Pollution. This can be exploited due to the lack of proper input validation.

Recommendations For versions 0.0.11 and later, consider disabling the setProperty() function until a patch is available to prevent exploitation. Restrict the use of the name argument in the setProperty() function to minimize the risk of Prototype Pollution. Avoid using arguments like proto in the setProperty() function until the issue is resolved.

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

CVE-2023-26139

GHSA-GPVC-MX6G-CCHV

Affected Products

Underscore-Keypath

PT-2023-20517 · Unknown · Underscore-Keypath

CVE-2023-26139

Weakness Enumeration

Related Identifiers

Affected Products

References · 8