A prototype pollution vulnerability has been found in
object-path <= 0.11.4 affecting the
set() method. The vulnerability is limited to the
includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of
object-path and setting the option
includeInheritedProps: true, or by using the default
withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of
set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5.
publishedAdvisory PublishedOct 19th, 2020
reportedReported by Alejandro RomeroOct 19th, 2020