Prototype Pollution vulnerability in setByPath function of Dot Diver library (versions prior to 1.0.2) allows for remote code execution (RCE)

Prototype Pollution vulnerability in setByPath function of Dot Diver library (versions prior to 1.0.2) allows for remote code execution (RCE)

CVE-2023-45827 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.

Learn more about our Cis Benchmark Audit For F5.