7 matches found
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
Summary dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing proto at any position other than...
GHSA-R5MX-6WC6-7H9W dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
Summary dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing proto at any position other than...
12g (=0.0.27), 402 (>=0.0.2 <=0.1.1) +1026 more potentially affected by CVE-2023-26132 +1 more via dottie (>=0.0.6-1 <=2.0.3)
dottie NPM version =0.0.6-1, =0.0.2, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =0.0.1, =1.1.7, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.6 and more Source cves: CVE-2023-26132, CVE-2026-27837 Source advisory: OSV:GHSA-4GXF-G5GF-22H4...
CVE-2023-26132
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set function and the current variable in the /dottie.js file...
CVE-2023-26132
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set function and the current variable in the /dottie.js file...
CVE-2023-26132
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set function and the current variable in the /dottie.js file...
CVE-2023-26132
CVE-2023-26132 affects the Node.js package dottie. Affected component: dottie.js (set() function) within the dottie package. Vulnerable versions: all before 2.0.4. Root cause: Prototype Pollution due to insufficient input validation in set(), enabling property injection via the current variable. ...