Prototype Pollution in object-path #3 #10
Description
Prototype Pollution in object-path #3
Open Issue
Reported on: 2 months ago
Affected Component: object-path (npm) dependency in DIDFrontend/package-lock.json
Problem Description
Dependabot is unable to update object-path to a secure, non-vulnerable version due to dependency conflicts.
Vulnerability: object-path is vulnerable to Prototype Pollution (CWE-1321).
The del() function in the library does not validate which Object properties it deletes, allowing attackers to modify the prototype of Object. This can result in the modification of default properties like toString on all objects.
Affected Versions:
- Package:
object-path - Vulnerable Versions:
< 0.11.8 - Fixed Version:
0.11.8
Conflict Details:
- The latest possible version that can be installed is
0.6.0. - This is because of the following dependency:
sort-by@1.2.0explicitly requiresobject-path@0.6.0.
References:
- CVE Details for object-path (Add CVE if applicable)
- object-path GitHub Repository
- sort-by GitHub Repository (Replace with actual repository link)
Issue Tracking
This issue affects the DID-Django repository and any applications relying on object-path indirectly via sort-by.
Priority: High
Status: Open
Assigned To: (Add assignee if applicable)
Milestone: (Add milestone if applicable)