EIQ-2019-0032#

ID

EIQ-2019-0032

CVE

CVE-2019-10747

Description

set-value enables prototype pollution

Date

04 Sep 2019

Severity

4 - CRITICAL

CVSSv3 score

9.8

Status

✅ 2.5.0

Assessment

set-value versions 2.0.0 and earlier, and versions 3.0.0 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability through the set function: set fails to validate updated object properties.

An attacker could add or modify object prototype properties of Object.prototype with a constructor payload.

Modified properties are propagated to all objects through inheritance .

An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack.

Note

This vulnerability is a false positive: this dependency is never packaged in our production code.

Mitigation

Upgrade set-value to version 2.0.1 or later, or version 3.0.1 or later, as per vendor’s recommendation.

At the moment, it is not possible to globally upgrade set-value, because it occurs at least once as a sub-dependency.

Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.

We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

Note

We test direct dependencies by scanning fixed builds, and then by checking the corresponding vulnerability reports to verify that they no longer include the addressed vulnerabilities.

At the moment, there is no way to reliably test indirect dependencies.

Affected versions

2.4.0 and earlier

Notes

For more information, see: