CVE-2023-45827 HIGH

CVE-2023-45827: Prototype Pollution vulnerability in @clickbar/dot-diver

Vendor Clickbar
Product dot-diver
Weakness CWE-1321
Published November 6, 2023
Last update September 4, 2024

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Dot diver is a lightweight, powerful, and dependency-free TypeScript utility library that provides types and functions to work with object paths in dot notation. In versions prior to 1.0.2 there is a Prototype Pollution vulnerability in the `setByPath` function which can leads to remote code execution (RCE). This issue has been addressed in commit `98daf567` which has been included in release 1.0.2. Users are advised to upgrade. There are no known workarounds to this vulnerability.

Key dates

02Disclosure timeline

November 6, 2023 CVE published
September 4, 2024 Record updated