| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821 |
| This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077 |
| The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types. |
| This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object. |
| All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. |
| This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. |
| All versions of package config-handler are vulnerable to Prototype Pollution when loading config files. |
| This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object. |
| The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns. |
| All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function. |
| This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload. |
| All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function. |
| This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload. |
| All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. |
| All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. |
| All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. |
| All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function. |
| This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload. |
| The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. |
| All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality. |
