dexie is vulnerable to prototype pollution. An attacker is able to add or modify properties of the Object.prototype
via the Dexie.setByKeyPath
function, which does not properly check whether the keys have been set like __proto__
or constructor
, leading to prototype pollution vulnerability.