CVE-2021-23440: Prototype Pollution in set-value
7.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.20402%
CWE
Published
9/13/2021
Updated
11/3/2023
KEV Status
No
Technology
C#
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
set-value-nuget | nuget | < 2.0.0 | 2.0.0 |
set-value | npm | < 2.0.1 | 2.0.1 |
set-value | npm | >= 4.0.0, < 4.0.1 | 4.0.1 |
set-value | npm | >= 3.0.0, < 3.0.3 | 3.0.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper type handling in validateKey. Pre-patch code didn't convert array keys to strings before safety checks, letting attackers use nested arrays to bypass proto validation. Commit 383b72d fixed this by adding type conversion, confirming this was the vulnerable point. The CVE description explicitly mentions array-based path parameter exploitation.