CVE-2022-25645

The CVE concerns the Node.js npm package and npm module dset. Affected: dset versions prior to 3.1.2. Root cause: a Prototype Pollution flaw in the dset/merge mode, where the code validates top-level paths for proto , constructor, or prototype but can be bypassed by crafting a malicious object. I...

CVE-2020-28277

Prototype pollution in the npm module dset (versions 1.0.0–2.0.1) allows an attacker to pollute Object.prototype, enabling DoS and potentially remote code execution. Affected function is the export logic handling obj, keys, val without proper validation. Documented exploitation points include man...