CVE-2026-27837

Name of the Vulnerable Software and Affected Versions dottie versions 2.0.4 through 2.0.6

Description dottie is a JavaScript library for nested object access and manipulation. Versions 2.0.4 through 2.0.6 contain an incomplete fix for a prototype pollution issue. The prototype pollution guard only validates the first segment of a dot-separated path, allowing attackers to bypass the protection by placing proto at any position other than the first. The dottie.set() and dottie.transform() functions are affected. Versions prior to 2.0.4 are vulnerable due to insufficient checks within the set() function and the current variable in the /dottie.js file.

Recommendations Update to dottie version 2.0.7 or later.