CVE-2021-21304 – dynamoose

Package

Manager: npm
Name: dynamoose
Vulnerable Version: >=2.0.0 <2.7.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00637 pctl0.6957

Details

Prototype Pollution in Dynamoose ### Impact In Dynamoose versions 2.0.0-2.6.0 there was a prototype pollution vulnerability in the internal utility method [`lib/utils/object/set.ts`](https://github.com/dynamoose/dynamoose/blob/master/lib/utils/object/set.ts). This method is used throughout the codebase for various operations throughout Dynamoose. We have not seen any evidence of this vulnerability being exploited. We do not believe this issue impacts v1.x.x since this method was added as part of the v2 rewrite. This vulnerability also impacts v2.x.x beta/alpha versions. ### Patches v2.7.0 includes a patch for this vulnerability. ### Workarounds We are unaware of any workarounds to patch this vulnerability other than upgrading to v2.7.0 or greater. ### References - Patch commit hash: 324c62b4709204955931a187362f8999805b1d8e ### For more information If you have any questions or comments about this advisory: * [Contact me](https://charlie.fish/contact) * [Read our Security Policy](https://github.com/dynamoose/dynamoose/blob/master/SECURITY.md) ### Credit - GitHub CodeQL Code Scanning

Metadata

Created: 2021-02-08T17:44:01Z
Modified: 2022-05-26T19:58:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-rrqm-p222-8ph2/GHSA-rrqm-p222-8ph2.json
CWE IDs: ["CWE-1321", "CWE-915"]
Alternative ID: GHSA-rrqm-p222-8ph2
Finding: F390
Auto approve: 1