CVE-2023-26139

EUVD-2023-2296
Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.
Prototype Pollution
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
snykCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Affected Products (NVD)
VendorProductVersion
underscore-keypath_projectunderscore-keypath
0.0.11 ≤
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252
https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714
https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252
https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714