CVE-2020-15256

A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.

A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.

### Impact A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. ### Patches Upgrade to version >= 0.11.5 ### Workarounds Don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0. ### References [Read more about the prototype pollution vulnerability](https://codeburst.io/what-is-prototype-pollution-49482fc4b638) ### For more information If you have any questions or comments about this advisory: * Open an issue in [object-path](https://github.com/mariocasciaro/object-path)

### Impact A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. ### Patches Upgrade to version >= 0.11.5 ### Workarounds Don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0. ### References [Read more about the prototype pollution vulnerability](https://codeburst.io/what-is-prototype-pollution-49482fc4b638) ### For more information If you have any questions or comments about this advisory: * Open an issue in [object-path](https://github.com/mariocasciaro/object-path)

Se ha encontrado una vulnerabilidad de contaminación de prototipo en "object-path" versiones anteriores a 0.11.4, incluyéndola afectando al método "set()".&#xa0;La vulnerabilidad es limitada al modo "includeInheritedProps" (si la versión posterior a 0.11.0 incluyéndola es usada), que debe habilitarse explícitamente mediante la creación de una nueva instancia de "object-path" y configurando la opción "includeInheritedProps: true", o usando la instancia predeterminada "withInheritedProps".&#xa0;El modo de funcionamiento predeterminado no está afectado por la vulnerabilidad si las versiones posteriores a 0.11.0 incluyéndola es usada.&#xa0;Cualquier uso de "set()" en versiones anteriores a 0.11.0 es vulnerable.&#xa0;El problema es corregido en la versión 0.11.5 de la ruta de objeto. Como solución alternativa, no use las opciones "includeInheritedProps: true" o la instancia "withInheritedProps" si usa una versión anterior a 0.11.0