CVE-2022-21189 Prototype Pollution

2022-05-0115:25:21

snyk

www.cve.org

cve-2022-21189

prototype pollution

dexie package

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

9.6

Confidence

High

EPSS

0.006

Percentile

79.2%

JSON

The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.

CNA Affected

[
  {
    "product": "dexie",
    "vendor": "n/a",
    "versions": [
      {
        "lessThan": "3.2.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "4.0.0-alpha.1",
        "versionType": "custom"
      },
      {
        "lessThan": "4.0.0-alpha.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]