Description
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
References (1)
Core 1
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/390929
Scores
CVSS v3
8.8
EPSS
0.0214
EPSS Percentile
79.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (2)
dot_project/dot
1.1.2
npm/dot
0 - 1.1.3npm
Published
Mar 15, 2020
Tracked Since
Feb 18, 2026