Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security vulnerability found in dot-prop
See original GitHub issueSecurity vulnerability found
Vulnerable module: dot-prop Introduced through: compare-func@1.3.2
Detailed paths
- Introduced through: conventional-changelog-angular@5.0.6 › compare-func@1.3.2 › dot-prop@3.0.0
https://app.snyk.io/test/npm/conventional-changelog-angular/5.0.6
Overview
dot-prop is a package to get, set, or delete a property from a nested object using a dot path.
Affected versions of this package are vulnerable to Prototype Pollution. It is possible for a user to modify the prototype of a base object.
PoC by aaron_costello
var dotProp = require("dot-prop")
const object = {};
console.log("Before " + object.b); //Undefined
dotProp.set(object, '__proto__.b', true);
console.log("After " + {}.b); //true
Remediation
Upgrade dot-prop to version 5.1.1 or higher.
References
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
dot-prop - Snyk Vulnerability Database
version published direct vulnerabilities
7.2.0 16 Feb, 2022 0. C. 0. H. 0. M. 0. L
7.1.1 22 Jan, 2022 0. C. 0. H. 0....
Read more >Facing vulnerability security issue for dot-prop when updating ...
I installed dot-prop . No Problem. I updated my npm to 6.14.7 . 2 vulnerabilities. I ran npm audit fix which results in...
Read more >Vulnerabilities found in the JavaScript - dot-prop library - Veracode
dot-prop Vulnerability Data ... Learn more about our SCA solution. Schedule a Demo. Verified Security Data. The most accurate and complete database of ......
Read more >Dot-prop Project Dot-prop version * : Security vulnerabilities
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to ......
Read more >dot-prop - npm
Get, set, or delete a property from a nested object using a dot path. Latest version: 7.2.0, last published: 10 months ago.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I am still getting Prototype Pollution vulnerability for dot-prop through “conventional-changelog-conventionalcommits”: “4.3.0” used in @commitlint/config-conventional 9.1.2
Fixed by PR #647 Can be closed when conventional-changelog-angular 5.0.11 is released. See #658