dot-json
dot-json copied to clipboard
Prototype Pollution Vulnerability in Dependency: CVE-2023-26139 underscore-keypath
Description
I have identified a Prototype Pollution vulnerability in the underscore-keypath
dependency used by dot-json
v1.3.0. This vulnerability is classified as CVE-2023-26139 and has potential security risks.
Details
-
Affected Version:
dot-json
v1.3.0 - Vulnerable Dependency: underscore-keypath
- CVE: CVE-2023-26139
- Impact: Prototype Pollution may allow an attacker to inject arbitrary properties into existing objects, possibly leading to various security issues such as unauthorized code execution or bypassing security checks.
Steps to Reproduce
- Install the
dot-json
module with the version v1.3.0. - Run
npm audit
in the project directory.
The audit report should indicate the security vulnerability related to underscore-keypath
with reference to CVE-2023-26139.
Thank you.