Headline
CVE-2022-31106: Merge pull request from GHSA-8j79-hfj5-f2xm · Clever/underscore.deep@b5e109a
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of underscore.deep prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it to deepFromFlat, which would pollute any future Objects created. Any users that have deepFromFlat or deepPick (due to its dependency on deepFromFlat) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifying deepFromFlat to prevent specific keywords which will prevent this from happening.
@@ -20,3 +20,13 @@ describe '_.deepFromFlat’, -> _(tests).each (test) -> it "deepens #{JSON.stringify test.input}", -> assert.deepEqual _.deepFromFlat(test.input), test.output
it "does not merge special `Object` properties", -> _.deepFromFlat({ "__proto__.polluted1": true }) _.deepFromFlat({ "constructor.prototype.polluted2": true }) p1 = {}.polluted1 p2 = {}.polluted2 assert.strictEqual(p1, undefined) assert.strictEqual(p2, undefined) delete Object.prototype.polluted1 delete Object.prototype.polluted2