CVE-2023-45827

HIGH

clickbar/dot-diver < 1.0.2 - Prototype Pollution via setByPath Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-45827. PoCs published by 200101WhoAmI.

AI-analyzed exploit summary The repository provides a technical analysis of CVE-2023-45827, a Prototype Pollution vulnerability in the @clickbar/dot-diver npm package. It includes a code snippet demonstrating the vulnerability and references the affected code in the package.

Description

Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.

Exploits (1)

nomisec WRITEUP
by 200101WhoAmI · poc
https://github.com/200101WhoAmI/CVE-2023-45827

The repository provides a technical analysis of CVE-2023-45827, a Prototype Pollution vulnerability in the @clickbar/dot-diver npm package. It includes a code snippet demonstrating the vulnerability and references the affected code in the package.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: @clickbar/dot-diver npm package
No auth needed
Prerequisites: Access to an application using the vulnerable @clickbar/dot-diver package
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.3
EPSS 0.1020
EPSS Percentile 93.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-1321
Status published
Products (2)
clickbar/dot-diver < 1.0.2
clickbar/dot-diver 0 - 1.0.2npm
Published Nov 06, 2023
Tracked Since Feb 18, 2026