All versions of package dset are vulnerable to Prototype Pollution via \'dset/merge\' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
Metrics
CVSS Version: 3.1 |
Base Score: 6.5 MEDIUM Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L/E:P