Prototype Pollution Vulnerability in object-path Dependency

[DOodle25]

Prototype Pollution Vulnerability in object-path Dependency

Summary

A Prototype Pollution vulnerability has been identified in the object-path package versions < 0.11.8. This vulnerability allows attackers to modify the prototype of Object, potentially altering default properties like toString across all objects. The issue arises from improper handling within the del() function, which fails to validate object properties, leading to potential security risks.

Impact

This vulnerability allows attackers to exploit the del() function in object-path to modify the Object prototype. By injecting or modifying prototype properties, attackers could impact the behavior of JavaScript objects throughout the application, leading to unexpected and potentially harmful behavior.

Dependabot Alert

Dependabot cannot update object-path to a non-vulnerable version due to a conflicting dependency:

• [email protected] requires [email protected]

Currently, no patched version is available for object-path below 0.11.8. The earliest fixed version is 0.11.8, but due to dependency conflicts, an upgrade is not feasible at this time.

References

For additional information, refer to:

• Prototype Pollution Vulnerability in JavaScript