EIQ-2019-0032

ID	EIQ-2019-0032
CVE	CVE-2019-10747
Description	set-value enables prototype pollution
Date	04 Sep 2019
Severity	4 - CRITICAL
CVSSv3 score	9.8
Status	2.5.0
Assessment	set-value versions 2.0.0 and earlier, and versions 3.0.0 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability through the `set` function: `set` fails to validate updated object properties. An attacker could add or modify object prototype properties of `Object.prototype` with a `constructor` payload. Modified properties are propagated to all objects through inheritance . An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack. This vulnerability is a false positive: t his dependency is never packaged in our production code.
Mitigation	Upgrade set-value to version 2.0.1 or later, or version 3.0.1 or later, as per vendor's recommendation. At the moment, it is not possible to globally upgrade set-value, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers. We test direct dependencies by scanning fixed builds, and then by checking the corresponding vulnerability reports to verify that they no longer include the addressed vulnerabilities. At the moment, there is no way to reliably test indirect dependencies.
Affected versions	2.4.0 and earlier
Notes	For more information, see: npm security advisory about the vulnerability Snyk report about the vulnerability GitHub commit with the fix CWE-88 CWE-400

< Back to all security issues and mitigation actions

In release notes 2.5.0