CVE-2020-15256 – object-path

Package

Manager: npm
Name: object-path
Vulnerable Version: >=0 <0.11.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00311 pctl0.53667

Details

Prototype pollution in object-path ### Impact A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. ### Patches Upgrade to version >= 0.11.5 ### Workarounds Don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0. ### References [Read more about the prototype pollution vulnerability](https://codeburst.io/what-is-prototype-pollution-49482fc4b638) ### For more information If you have any questions or comments about this advisory: * Open an issue in [object-path](https://github.com/mariocasciaro/object-path)

Metadata

Created: 2020-10-19T20:55:55Z
Modified: 2021-11-19T14:05:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-cwx2-736x-mf6w/GHSA-cwx2-736x-mf6w.json
CWE IDs: ["CWE-20", "CWE-471"]
Alternative ID: GHSA-cwx2-736x-mf6w
Finding: F138
Auto approve: 1