CVE-2020-28276

Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

The NPM module 'deep-set' can be abused by Prototype Pollution vulnerability since the function `deepSet()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution. ### PoC ```js var deepSet = require('deep-set') var obj = {'1':'2'} console.log(obj.isAdmin); deepSet(obj, '__proto__.isAdmin', 'true') console.log(obj.isAdmin); ```

The NPM module 'deep-set' can be abused by Prototype Pollution vulnerability since the function `deepSet()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution. ### PoC ```js var deepSet = require('deep-set') var obj = {'1':'2'} console.log(obj.isAdmin); deepSet(obj, '__proto__.isAdmin', 'true') console.log(obj.isAdmin); ```

Una vulnerabilidad de contaminación de prototipo en "deep-set" versiones 1.0.0 hasta 1.0.1, permite a un atacante causar una denegación de servicio y puede conllevar a una ejecución de código remota