CVE-2023-26139

HIGH

underscore-keypath <0.0.11 - Prototype Pollution

Title source: llm

Description

Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to improper input sanitization which allows the usage of arguments like “__proto__”.

References (2)

[Third Party Advisory] https://gist.github.com/lelecolacola123/cc0d1e73780127aea9482c05f2ff3252

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-UNDERSCOREKEYPATH-5416714

Scores

CVSS v3 7.5

EPSS 0.0014

EPSS Percentile 33.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

npm/underscore-keypath 0.0.11npm

underscore-keypath_project/underscore-keypath 0.0.11

Published Aug 01, 2023

Tracked Since Feb 18, 2026