0.005 Low
EPSS
Percentile
76.1%
dset is vulnerable to prototype pollution. An attacker can inject properties into existing construct prototypes via the merge function in the merge.js and modify attributes such as __proto__, constructor, and prototype.
merge
merge.js
__proto__
constructor
prototype
github.com/advisories/GHSA-23wx-cgxq-vpwx
github.com/lukeed/dset/blob/master/src/merge.js#L9
github.com/lukeed/dset/blob/master/src/merge.js%23L9
github.com/lukeed/dset/commit/2d156c7f615877ad11d2586f54865ebdc11e4acc
github.com/lukeed/dset/pull/34