set-in Prototype Pollution Vulnerability

A prototype pollution vulnerability exists in the npm package set-in, versions 2.0.1 and prior to 2.0.5. The vulnerability allows for the pollution of Object.prototype through crafted input that exploits Array.prototype. This issue arises despite a previous attempt to mitigate prototype pollution by restricting certain keys, as the vulnerability can still be leveraged to alter the prototype.

Impact

Exploitation of this vulnerability leads to prototype pollution, which can have serious security consequences depending on how the set-in package is utilized in downstream applications. Affected applications may experience authentication bypass, denial-of-service, or remote code execution if the polluted properties are used in conjunction with functions like eval or child_process.

Reproduction

To reproduce this vulnerability, install the set-in package version 2.0.1 or any version prior to 2.0.5. After installation, run a code snippet that hijacks the Array.prototype.includes method to return false. Then, use the set-in function to add a property to the Object.prototype via the constructor or prototype keys. Finally, check the polluted property to confirm the prototype pollution.

Remediation

Users can upgrade to set-in version 2.0.5, which addresses the prototype pollution vulnerability.