dot-json icon indicating copy to clipboard operation
dot-json copied to clipboard

Published 20 hours ago verified publisher icon maikelvl

Prototype Pollution Vulnerability in Dependency: CVE-2023-26139 underscore-keypath

Open mdwekat opened this issue 1 year ago • 0 comments

Description

I have identified a Prototype Pollution vulnerability in the underscore-keypath dependency used by dot-json v1.3.0. This vulnerability is classified as CVE-2023-26139 and has potential security risks.

Details

  • Affected Version: dot-json v1.3.0
  • Vulnerable Dependency: underscore-keypath
  • CVE: CVE-2023-26139
  • Impact: Prototype Pollution may allow an attacker to inject arbitrary properties into existing objects, possibly leading to various security issues such as unauthorized code execution or bypassing security checks.

Steps to Reproduce

  1. Install the dot-json module with the version v1.3.0.
  2. Run npm audit in the project directory.

The audit report should indicate the security vulnerability related to underscore-keypath with reference to CVE-2023-26139.

Thank you.

mdwekat avatar Aug 10 '23 00:08 mdwekat