CVE-2022-21189
HIGHdexie < 3.2.2 and 4.0.0-alpha.1-4.0.0-alpha.3 - Prototype Pollution via setByKeyPath Function
Title source: llmDescription
The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-DEXIE-2607042
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308
Broken Link x_refsource_misc
https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164
Patch, Third Party Advisory x_refsource_misc
https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b
Scores
CVSS v3
7.3
EPSS
0.0176
EPSS Percentile
75.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-1321
Status
published
Products (3)
dexie/dexie
4.0.0 alpha1 (2 CPE variants)
dexie/dexie
< 3.2.2
npm/dexie
0 - 3.2.2npm
Published
May 01, 2022
Tracked Since
Feb 18, 2026