CVE-2024-21529

EUVD-2024-2781
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.
Prototype Pollution
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
dset_projectdset
𝑥
< 3.1.4
ADP
Common Weakness Enumeration
References
https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa
https://security.snyk.io/vuln/SNYK-JS-DSET-7116691