EUVD-2021-1180

Malware in sbrugna...

@digiwano/enquirer-experiments (>=0.0.1 <=0.0.3), firepit (=0.0.1) +1 more potentially affected by CVE-2020-7716 via deeps (=1.4.5)

deeps NPM version =1.4.5 is affected by a known vulnerability. The following packages have a transitive dependency on deeps and may be impacted: - @digiwano/enquirer-experiments =0.0.1, =0.0.3 - firepit =0.0.1 - rnfb-cli =1.0.0 Source cves: CVE-2020-7716 Source advisory: OSV:GHSA-RGFV-V3JH-7FFP...

GHSA-RGFV-V3JH-7FFP Prototype Pollution in deeps

All versions of package deeps up to and including version 1.4.5 are vulnerable to Prototype Pollution via the set function...

Prototype Pollution in deeps

All versions of package deeps up to and including version 1.4.5 are vulnerable to Prototype Pollution via the set function...

Prototype Pollution

deeps is vulnerable to prototype pollution. The vulnerability exists as it does not restrict the proto header to be set through the set function...

CVE-2020-7716

All versions of package deeps are vulnerable to Prototype Pollution via the set function...

Design/Logic Flaw

All versions of package deeps are vulnerable to Prototype Pollution via the set function...

CVE-2020-7716

CVE-2020-7716 affects the npm package deeps and is a prototype pollution vulnerability via the set function. Public sources describe affected versions as older than 1.4.6 (GHSA: all versions up to 1.4.5; PT-2020-19738 states prior to 1.4.6). Root cause: unsafe handling in object merging/set that ...

CVE-2020-7716 Prototype Pollution

All versions of package deeps are vulnerable to Prototype Pollution via the set function...

PT-2020-19738 · Deeps · Deeps

Name of the Vulnerable Software and Affected Versions: deeps versions prior to 1.4.6 Description: The issue concerns Prototype Pollution via the set function. This allows for potential manipulation of object properties, which could lead to various security issues. Recommendations: For versions...

@digiwano/enquirer-experiments (>=0.0.1 <=0.0.3), firepit (=0.0.1) +1 more potentially affected by CVE-2020-7716 via deeps (=1.4.5)

deeps NPM version =1.4.5 is affected by a known vulnerability. The following packages have a transitive dependency on deeps and may be impacted: - @digiwano/enquirer-experiments =0.0.1, =0.0.3 - firepit =0.0.1 - rnfb-cli =1.0.0 Source cves: CVE-2020-7716 Source advisory: SNYK:JS-DEEPS-598667...

Prototype Pollution

Overview deeps is a Highly performant utilities to manage deeply nested objects. get, set, merge, flatten, diff etc. Affected versions of this package are vulnerable to Prototype Pollution via the set function. POC: const deeps = require'deeps'; deeps.set, 'proto.polluted', true;...