CVE-2019-10747

Critical

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or…

snyk·CWE-400·Published 2019-08-23

CVSS

9.8

EPSS

0.02

KEV

Exploits

Vendor statements (2)

cve.orgen

235 chars

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.

OSV.deven

454 chars

Versions of `set-value` prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The `set` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. ## Recommendation If you are using `set-value` 3.x, upgrade to version 3.0.1 or later. If you are using `set-value` 2.x, upgrade to version 2.0.1 or later.

GHSAen

454 chars

NVDes

281 chars

set-value es vulnerable a Prototype Pollution en versiones anteriores a 2.0.1 y la versión 3.0.0. La función mixin-deep podría ser engañada para agregar o modificar propiedades de Object.prototype usando cualquiera de las cargas útiles de constructor, prototipo y _proto_ payloads.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H