A prototype pollution vulnerability has been found in object-path
<= 0.11.4 affecting the set()
method. The vulnerability is limited to the includeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path
and setting the option includeInheritedProps: true
, or by using the default withInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don’t use the includeInheritedProps: true
options or the withInheritedProps
instance if using a version >= 0.11.0.
CPE | Name | Operator | Version |
---|---|---|---|
object-path | eq | 0.9.1 | |
object-path | eq | 0.9.0 | |
object-path | eq | 0.6.0 | |
object-path | eq | 0.2.1 | |
object-path | eq | 0.9.2 | |
object-path | eq | 0.9.3 | |
object-path | eq | 0.4.0 | |
object-path | eq | 0.5.1 | |
object-path | eq | 0.8.0 | |
object-path | eq | 0.10.0 |