Malicious code in flatten-unflatten (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 96678bbed20be5d500dc65bda769b41f7d3666a18c8a76262aca5ed79ef584fd The package flatten-unflatten was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-199215

Malicious code in flatten-unflatten npm...

MAL-2025-191095 Malicious code in flatten-unflatten (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 96678bbed20be5d500dc65bda769b41f7d3666a18c8a76262aca5ed79ef584fd The package flatten-unflatten was found to contain malicious code. Source: ghsa-malware...

@cycle-mega-driver/database (>=0.2.1 <=0.3.2), @fluidnotions/rx-pouch (>=0.6.7 <=0.6.8) +2 more potentially affected by unknown CVE via flatten-unflatten (=1.0.0)

flatten-unflatten NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on flatten-unflatten and may be impacted: - @cycle-mega-driver/database =0.2.1, =0.6.7, =1.0.0, =0.3.0, =0.6.9 Source cves: unknown CVE Source advisory: OSV:MAL-2025-1910...

@cycle-mega-driver/database (>=0.2.1 <=0.3.2), @fluidnotions/rx-pouch (>=0.6.7 <=0.6.8) +3 more potentially affected by unknown CVE via set-nested-prop (=2.0.0)

set-nested-prop NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on set-nested-prop and may be impacted: - @cycle-mega-driver/database =0.2.1, =0.6.7, =1.0.0, =0.3.0, =0.6.9 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191010...

@cycle-mega-driver/database (>=0.2.1 <=0.3.2), @fluidnotions/rx-pouch (>=0.6.7 <=0.6.8) +2 more potentially affected by unknown CVE via flatten-unflatten (=1.0.0)

flatten-unflatten NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on flatten-unflatten and may be impacted: - @cycle-mega-driver/database =0.2.1, =0.6.7, =1.0.0, =0.3.0, =0.6.9 Source cves: unknown CVE Source advisory:...

EUVD-2021-1215

Malware in sbrugna...

Prototype Pollution in arr-flatten-unflatten

All versions of package arr-flatten-unflatten up to and including version 1.1.4 are vulnerable to Prototype Pollution via the constructor...

GHSA-W8F3-PVX4-4C3H Prototype Pollution in arr-flatten-unflatten

All versions of package arr-flatten-unflatten up to and including version 1.1.4 are vulnerable to Prototype Pollution via the constructor...

Prototype Pollution in quernest/arr-flatten-unflatten

Description arr-flatten-unflatten is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var arrFlattenUnflatten = require"arr-flatten-unflatten" console.log"Before : " + .polluted; arrFlattenUnflatten.unflatten'protopolluted': 'Yes! Its Polluted';...

Prototype Pollution

arr-flatten-unflatten is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...

CVE-2020-7713

All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor...

CVE-2020-7713 Prototype Pollution

All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor...

CVE-2020-7713

CVE-2020-7713 affects the npm package arr-flatten-unflatten . All versions up to and including 1.1.4 are vulnerable to prototype pollution via the constructor . Public advisories (GHSA, OSV, Snyk, Veracode) confirm the issue and provide a PoC demonstrating pollution of Object.prototype. There is ...

PT-2020-19735 · Npm · Arr-Flatten-Unflatten

Name of the Vulnerable Software and Affected Versions: arr-flatten-unflatten versions up to and including 1.1.4 Description: The issue concerns Prototype Pollution via the constructor. This means that an attacker could potentially manipulate the prototype of an object, leading to unintended...

Prototype Pollution

Overview arr-flatten-unflatten is a non-recursive method of flattening an array or arrays and unflattening the result Affected versions of this package are vulnerable to Prototype Pollution via the constructor. POC: const unflatten = require'arr-flatten-unflatten'; unflatten'proto.polluted':true;...