CVE-2021-23460

High

The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.

snyk·CWE-1321·Published 2022-01-21

CVSS

7.5

EPSS

0.02

KEV

Exploits

cve.orgen

131 chars

The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.

NVDen

131 chars

The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.

### Impact The `set` method is vulnerable to prototype pollution with specially crafted inputs. ```javascript // insert the following into poc.js and run node poc,js (after installing the package) let parser = require("min-dash"); parser.set({}, [["__proto__"], "polluted"], "success"); console.log(polluted); ``` ### Patches `min-dash>=3.8.1` fix the issue. ### Workarounds No workarounds exist for the issue. ### References Closed via https://github.com/bpmn-io/min-dash/pull/21. ### Credits Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team who reported the vulnerability to us, responsibly.

GHSAen

667 chars

NVDes

169 chars

El paquete min-dash versiones anteriores a 3.8.1 es vulnerable a una Contaminación de Prototipos por el método set debido a una falta de aplicación de los tipos de clave

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	5.0	10.0	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
3.1	Primary	cve.org	7.5	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
3.1	Primary	cve.org	7.5	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
3.1	Primary	NVD	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1	Secondary	NVD	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1	Secondary	GHSA	7.5	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H