Vulnerability Details CVE-2022-25354
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 64.0%
CVSS Severity
CVSS v3 Score 8.6
CVSS v2 Score 7.5
References
- https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5
- https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24
- https://snyk.io/vuln/SNYK-JS-SETIN-2388571
- https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5
- https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24
- https://snyk.io/vuln/SNYK-JS-SETIN-2388571
Products affected by CVE-2022-25354
-
cpe:2.3:a:set-in_project:set-in:1.0.0
-
cpe:2.3:a:set-in_project:set-in:1.1.0
-
cpe:2.3:a:set-in_project:set-in:1.1.1
-
cpe:2.3:a:set-in_project:set-in:2.0.0
-
cpe:2.3:a:set-in_project:set-in:2.0.1
-
cpe:2.3:a:set-in_project:set-in:2.0.2