CVE-2021-23460 – min-dash

Package

Manager: npm
Name: min-dash
Vulnerable Version: >=0 <3.8.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00542 pctl0.66706

Details

Prototype pollution in min-dash ### Impact The `set` method is vulnerable to prototype pollution with specially crafted inputs. ```javascript // insert the following into poc.js and run node poc,js (after installing the package) let parser = require("min-dash"); parser.set({}, [["__proto__"], "polluted"], "success"); console.log(polluted); ``` ### Patches `min-dash>=3.8.1` fix the issue. ### Workarounds No workarounds exist for the issue. ### References Closed via https://github.com/bpmn-io/min-dash/pull/21. ### Credits Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team who reported the vulnerability to us, responsibly.

Metadata

Created: 2022-02-01T00:44:35Z
Modified: 2025-07-18T19:59:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-2m53-83f3-562j/GHSA-2m53-83f3-562j.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-2m53-83f3-562j
Finding: F390
Auto approve: 1