Miggo Logo

CVE-2021-23373: set-deep-prop Prototype Pollution

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.29368%
Published
7/26/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
set-deep-propnpm<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. All advisories explicitly state vulnerability exists in the main functionality
  2. The PoC demonstrates prototype pollution through direct use of setDeepProp
  3. The package's purpose is deep property assignment, which inherently risks prototype pollution if path validation is missing
  4. No other functions are mentioned in vulnerability reports, and the package appears to be a single-function utility
  5. The attack pattern matches classic prototype pollution via uncontrolled path parameters in deep assignment functions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** s*t-***p-prop *r* vuln*r**l* to Prototyp* Pollution vi* t** m*in *un*tion*lity.

Reasoning

*. *ll **visori*s *xpli*itly st*t* vuln*r**ility *xists in t** m*in *un*tion*lity *. T** Po* **monstr*t*s prototyp* pollution t*rou** *ir**t us* o* s*t***pProp *. T** p**k***'s purpos* is ***p prop*rty *ssi*nm*nt, w*i** in**r*ntly risks prototyp* pol