Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security Issue - CVE-2022-25645 - Node module `dset`
See original GitHub issueThere is currently CVE open for the module dset for the following problem:
Affected versions of this package are vulnerable to Prototype Pollution via ‘dset/merge’ mode, as the dset function checks for prototype pollution by validating if the top-level path contains proto, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
This affect graphiql on the following line - which is affected as it uses dset/merge as the imported module:
dset(payload.data, path, data);
Would it be possible to migrate away from dset soon?
Issue Analytics
- State:
- Created a year ago
- Reactions:2
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
This has been fixed in
dset@3.1.2I think you may need to provide a custom merge function as setting merge = true according to docs for set-value seems to only perform a shallow merge which is probably not enough.
I actually didn’t check to see how setvalue works and how it’s being used, but just thinking about overlapping deferred fragments, it seems that you would need deep merging.
Also, out of curiosity, why is set-value not vulnerable to the same concern? Is there no CVE for it yet or did they solve something differently?
Can dset be patched rather than discarded? Is there a link to separate discussion about that?