All object-path versions

[email protected] rejected Risk: 100 MIT

object-path @0.11.2

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
No
Install Scripts
0
Dependencies
6
Dev Dependencies
9.2 KB
Package Size
Published

Access deep object properties using a path

Maintainers

mariocasciaro

Keywords

deeppathaccessbeangetpropertydotpropobjectobjnotationsegmentvaluenestedkey

Dev Dependencies (6)

PackageConstraintRegistry Status
chai ^3.5.0 auto_approved
mocha ^2.2.4 auto_approved
istanbul ^0.4.4 No greenflagged match
coveralls ^2.11.2 auto_approved
mocha-lcov-reporter ^1.2.0 auto_approved
@mariocasciaro/benchpress ^0.1.3 Not imported

Risk Dispositions (2 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-8v63-cqqc-6r2c osv reject AI AI (osv): Prototype pollution in del(); affects all versions < 0.11.8. Fix available. Verdict generalizes across affected range.
osv:GHSA-v39p-96qg-c8rf osv reject AI AI (osv): Type confusion bypass of CVE-2020-15256; affects all versions < 0.11.6. Fix available. Verdict generalizes across affected range.

SAST Findings (4)

CRITICAL GHSA-8v63-cqqc-6r2c: Prototype Pollution in object-path osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects.

CRITICAL GHSA-v39p-96qg-c8rf: Prototype Pollution in object-path osv

[Always reject] CVSS 5.6 (MEDIUM) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition `currentPath === '__proto__'` returns false if `currentPath` is `['__proto__']`. This is because the `===` operator returns always false when the type of the operands is different.

HIGH GHSA-cwx2-736x-mf6w: Prototype pollution in object-path osv

CVSS 7.7 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H ### Impact A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. ### Patches Upgrade to version >= 0.11.5 ### Workarounds Don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0. ### References [Read more about the prototype pollution vulnerability](https://codeburst.io/what-is-prototype-pollution-49482fc4b638) ### For more information If you have any questions or comments about this advisory: * Open an issue in [object-path](https://github.com/mariocasciaro/object-path)

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 108). Findings: 2 critical (+80), 1 high (+25), 1 low (+3).

Commit: f01ab7ce2c9c Browse source

Published to npm: