Skip to content

Prototype Pollution in set-value

high severity Published Sep 13, 2021 • Updated Oct 6, 2021

Package

npm set-value (npm)

Affected versions

< 4.0.1

Patched versions

4.0.1

Package

nuget set-value-nuget (nuget)

Affected versions

< 2.0.0

Patched versions

2.0.0

Description

This affects the package set-value before 4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

References

CVE ID

CVE-2021-23440

CVSS Score

7.3 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L