hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Details
Vulnerability Type
Prototype Pollution
Detailed Cause
caseless is used for case-insensitive HTTP header management. Its constructor accepts a dict object and stores it as this.dict without validation.
If an attacker passes Object.prototype as the dict, all subsequent set() operations write properties directly onto Object.prototype.
The set() method performs dynamic assignment (this.dict[name] = value) without filtering dangerous keys like proto, allowing full global prototype pollution.
Vulnerable Code Location
package/package/index.js:14 (DYNAMIC_PROP_WRITE sink)
Proof of Concept (POC)
const lib = require('caseless');
const ctx = lib(Object.prototype);
ctx.set('polluted', true);
// Verify pollution
console.log({}.polluted); // true
hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Details
Vulnerability Type
Prototype Pollution
Detailed Cause
caseless is used for case-insensitive HTTP header management. Its constructor accepts a dict object and stores it as this.dict without validation.
If an attacker passes Object.prototype as the dict, all subsequent set() operations write properties directly onto Object.prototype.
The set() method performs dynamic assignment (this.dict[name] = value) without filtering dangerous keys like proto, allowing full global prototype pollution.
Vulnerable Code Location
package/package/index.js:14 (DYNAMIC_PROP_WRITE sink)
Proof of Concept (POC)