Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.

Affected Packages

npm dset

Affected versions: 0 (fixed in 3.1.4)

Related CVEs

CVE-2024-21529

Key Information

GHSA ID

GHSA-f6v4-cf5j-vf3w

Published

September 11, 2024 6:30 AM

Last Modified

September 11, 2024 11:11 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

dset

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.