CVE-2021-23440 — Prototype Pollution in set-value

Description

This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

How to fix CVE-2021-23440

To remediate CVE-2021-23440, upgrade the affected package to a fixed version below.

Debian/node-set-value—upgrade to 3.0.1-2+deb11u1 or later
—upgrade to 4.0.1 or later
—upgrade to 2.0.0 or later

Is CVE-2021-23440 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.0.1-2+deb11u1
>= 4.0.0, < 4.0.1
from 0, < 2.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23440
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-23440
PATCHgithub.com/jonschlinkert/set-value
WEBgithub.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245