just-safe-set@1.1.0 vulnerabilities

set value at property, create intermediate properties if necessary

Direct Vulnerabilities

Known vulnerabilities in the just-safe-set package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Prototype Pollution

just-safe-set is a part of a library of zero-dependency npm modules that do just do one thing.

Affected versions of this package are vulnerable to Prototype Pollution via type confusion. If the property key is [__proto__] then the allocated key will also be __proto__.

How to fix Prototype Pollution?

Upgrade just-safe-set to version 4.0.2 or higher.

<4.0.2
  • H
Prototype Pollution

just-safe-set is a part of a library of zero-dependency npm modules that do just do one thing.

Affected versions of this package are vulnerable to Prototype Pollution. The function set() does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or is able to manipulate the property which leads to DoS or potentially RCE.

PoC

var justSafeSet = require("just-safe-set")
var obj = {}
console.log("Before: " + {}.polluted);
justSafeSet(obj,'__proto__.polluted','polluted');
console.log("After: " + {}.polluted);

How to fix Prototype Pollution?

Upgrade just-safe-set to version 2.2.2 or higher.

>=1.0.0 <2.2.2