Vulnerability Details CVE-2023-45827
Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.072
EPSS Ranking 91.2%
CVSS Severity
CVSS v3 Score 7.3
References
- https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a
- https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47
- https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a
- https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47