Fazendaaa/AnilistBot:package.json

A new code base to Anilist bot in Telegram.
Vulnerabilities 1 via 1 paths
Dependencies 163
Source GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0
medium severity

Prototype Pollution

  • Vulnerable module: dot-prop
  • Introduced through: google-translate-open-api@1.3.2

Detailed paths

  • Introduced through: anilistbot@Fazendaaa/AnilistBot google-translate-open-api@1.3.2 @vitalets/google-translate-token@1.1.0 configstore@2.1.0 dot-prop@3.0.0

Overview

dot-prop is a package to get, set, or delete a property from a nested object using a dot path.

Affected versions of this package are vulnerable to Prototype Pollution. It is possible for a user to modify the prototype of a base object.

PoC by aaron_costello

var dotProp = require("dot-prop")
const object = {};
console.log("Before " + object.b); //Undefined
dotProp.set(object, '__proto__.b', true);
console.log("After " + {}.b); //true

Remediation

Upgrade dot-prop to version 5.1.1 or higher.

References