Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.
Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.
All versions of package safetydance are vulnerable to Prototype Pollution via the set function.
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.
The package bmoor before 0.8.12 are vulnerable to Prototype Pollution via the set function.
All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.
All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.
All versions of phpjs are vulnerable to Prototype Pollution via parse_str.
All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.
All versions of package deeps are vulnerable to Prototype Pollution via the set function.
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.
All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function.
All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.
This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.
All versions of package gedi are vulnerable to Prototype Pollution via the set function.
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload.
The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.
The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.
The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function.
All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.
All versions of package dot-notes are vulnerable to Prototype Pollution via the create function.
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.
All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor.
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
@std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Pollution (PP) vulnerability. This is because the library is merging an untrusted object with an empty object, which by default the empty object has the prototype chain. This issue has been patched in version 1.0.9.
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.
Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.
All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in the flatnest/nest.js file.
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).