VYPR
← All advisories
Critical severityNVD Advisory· Published Aug 23, 2019· Updated Aug 4, 2024

CVE-2019-10747

CVE-2019-10747

Description

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype Pollution in set-value allows attackers to add or modify Object.prototype properties via constructor, prototype, or __proto__ payloads.

Vulnerability

set-value versions before 3.0.1 are vulnerable to Prototype Pollution. The mixin-deep function can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or __proto__ payloads [1][2]. This occurs because the library does not properly sanitize object keys that reference these special properties.

Exploitation

An attacker can exploit this by passing crafted object paths that traverse to __proto__ or constructor.prototype when calling set-value. No authentication is required; the attack is performed by providing malicious input to the set function. Applications that accept user-controlled object paths from sources such as API parameters, configuration files, or query strings are particularly at risk [3].

Impact

Successful exploitation allows an attacker to pollute Object.prototype, which can lead to unexpected behavior across the application, such as overriding default properties or bypassing security checks. In some environments, this can be leveraged for remote code execution or denial of service [3].

Mitigation

The fix was released in version 3.0.1. Users should update to at least 3.0.1, which disallows setting properties on __proto__, prototype, and constructor keys [1][2]. No workaround other than upgrading exists.

References
  1. disallow proto keys · jonschlinkert/set-value@95e9d99
  2. NVD - CVE-2019-10747
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
set-valuenpm
< 2.0.12.0.1
set-valuenpm
>= 3.0.0, < 3.0.13.0.1

Affected products

4

Patches

2
cb12f14955dd

ensure only valid keys are used

https://github.com/jonschlinkert/set-valuedoowbJun 24, 2019via ghsa
commit
1 file changed · +5 1
  • index.js+5 1 modified
    @@ -25,7 +25,7 @@ module.exports = function(obj, prop, val) {
     return obj;
   }
 
-  var keys = split(prop, {sep: '.', brackets: true});
+  var keys = split(prop, {sep: '.', brackets: true}).filter(isValidKey);
   var len = keys.length;
   var idx = -1;
   var current = obj;
@@ -49,3 +49,7 @@ module.exports = function(obj, prop, val) {
 
   return obj;
 };
+
+function isValidKey(key) {
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+}
95e9d9923f8a

disallow proto keys

https://github.com/jonschlinkert/set-valueJon SchlinkertJun 19, 2019via ghsa
commit
6 files changed · +39 28
  • index.js+6 10 modified
    @@ -25,7 +25,7 @@ function set(target, path, value, options) {
     merge = Object.assign;
   }
 
-  const keys = isArray ? path : split(path, opts);
+  const keys = (isArray ? path : split(path, opts)).filter(isValidKey);
   const len = keys.length;
   const orig = target;
 
@@ -98,16 +98,12 @@ function createKey(pattern, options) {
   return id;
 }
 
+function isValidKey(key) {
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+}
+
 function isObject(val) {
-  switch (typeof val) {
-    case 'object':
-      return val !== null;
-    case 'function':
-      return true;
-    default: {
-      return false;
-    }
-  }
+  return val !== null && (typeof val === 'object' || typeof val === 'function');
 }
 
 set.memo = {};
  • LICENSE+1 1 modified
    @@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2014-2018, Jon Schlinkert.
+Copyright (c) 2014-present, Jon Schlinkert.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
  • package.json+5 3 modified
    @@ -36,7 +36,7 @@
     "dot-prop": "^4.2.0",
     "dot2val": "^1.2.2",
     "es5-dot-prop": "^4.1.1",
-    "gulp-format-md": "^1.0.0",
+    "gulp-format-md": "^2.0.0",
     "lodash.set": "^4.3.2",
     "minimist": "^1.2.0",
     "mocha": "^3.5.3",
@@ -124,7 +124,9 @@
       "set-deep",
       "set-deep-prop",
       "set-nested-prop",
-      "setvalue"
+      "setvalue",
+      "split-string",
+      "update"
     ]
   }
-}
+}
\ No newline at end of file
  • README.md+16 11 modified
    @@ -1,4 +1,4 @@
-# set-value [![NPM version](https://img.shields.io/npm/v/set-value.svg?style=flat)](https://www.npmjs.com/package/set-value) [![NPM monthly downloads](https://img.shields.io/npm/dm/set-value.svg?style=flat)](https://npmjs.org/package/set-value) [![NPM total downloads](https://img.shields.io/npm/dt/set-value.svg?style=flat)](https://npmjs.org/package/set-value) [![Linux Build Status](https://img.shields.io/travis/jonschlinkert/set-value.svg?style=flat&label=Travis)](https://travis-ci.org/jonschlinkert/set-value)
+# set-value [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=W8YFZ425KND68) [![NPM version](https://img.shields.io/npm/v/set-value.svg?style=flat)](https://www.npmjs.com/package/set-value) [![NPM monthly downloads](https://img.shields.io/npm/dm/set-value.svg?style=flat)](https://npmjs.org/package/set-value) [![NPM total downloads](https://img.shields.io/npm/dt/set-value.svg?style=flat)](https://npmjs.org/package/set-value) [![Linux Build Status](https://img.shields.io/travis/jonschlinkert/set-value.svg?style=flat&label=Travis)](https://travis-ci.org/jonschlinkert/set-value)
 
 > Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
 
@@ -12,10 +12,14 @@ Install with [npm](https://www.npmjs.com/):
 $ npm install --save set-value
 ```
 
+## Heads up!
+
+[Please update](https://github.com/update/update) to version 3.0.1 or later, a critical bug was fixed in that version.
+
 ## Usage
 
 ```js
-var set = require('set-value');
+const set = require('set-value');
 set(object, prop, value);
 ```
 
@@ -30,7 +34,7 @@ set(object, prop, value);
 Updates and returns the given object:
 
 ```js
-var obj = {};
+const obj = {};
 set(obj, 'a.b.c', 'd');
 console.log(obj);
 //=> { a: { b: { c: 'd' } } }
@@ -210,25 +214,26 @@ You might also be interested in these projects:
 
 ### Contributors
 
-| **Commits** | **Contributor** | 
-| --- | --- |
-| 64 | [jonschlinkert](https://github.com/jonschlinkert) |
-| 1 | [vadimdemedes](https://github.com/vadimdemedes) |
-| 1 | [wtgtybhertgeghgtwtg](https://github.com/wtgtybhertgeghgtwtg) |
+| **Commits** | **Contributor** |  
+| --- | --- |  
+| 71 | [jonschlinkert](https://github.com/jonschlinkert) |  
+| 2  | [mbelsky](https://github.com/mbelsky) |  
+| 1  | [vadimdemedes](https://github.com/vadimdemedes) |  
+| 1  | [wtgtybhertgeghgtwtg](https://github.com/wtgtybhertgeghgtwtg) |  
 
 ### Author
 
 **Jon Schlinkert**
 
-* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)
 * [GitHub Profile](https://github.com/jonschlinkert)
 * [Twitter Profile](https://twitter.com/jonschlinkert)
+* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)
 
 ### License
 
-Copyright © 2018, [Jon Schlinkert](https://github.com/jonschlinkert).
+Copyright © 2019, [Jon Schlinkert](https://github.com/jonschlinkert).
 Released under the [MIT License](LICENSE).
 
 ***
 
-_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.6.0, on March 05, 2018._
\ No newline at end of file
+_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.8.0, on June 19, 2019._
\ No newline at end of file
  • .travis.yml+4 0 modified
    @@ -2,9 +2,13 @@ sudo: false
 os:
   - linux
   - osx
+  - windows
 language: node_js
 node_js:
   - node
+  - '12'
+  - '11'
+  - '10'
   - '9'
   - '8'
   - '7'
  • .verb.md+7 3 modified
    @@ -1,7 +1,11 @@
+## Heads up!
+
+[Please update][update] to version 3.0.1 or later, a critical bug was fixed in that version.
+
 ## Usage
 
 ```js
-var set = require('{%= name %}');
+const set = require('{%= name %}');
 set(object, prop, value);
 ```
 
@@ -17,7 +21,7 @@ set(object, prop, value);
 Updates and returns the given object:
 
 ```js
-var obj = {};
+const obj = {};
 set(obj, 'a.b.c', 'd');
 console.log(obj);
 //=> { a: { b: { c: 'd' } } }
@@ -104,4 +108,4 @@ These are just a few of the duplicate libraries on NPM.
 - Adds support for escaping with double or single quotes. See [escaping](#escaping) for examples.
 - Will no longer split inside brackets or braces. See [bracket support](#bracket-support) for examples.
 
-If there are any regressions please create a [bug report](../../issues/new). Thanks!
+If there are any regressions please create a [bug report](../../issues/new). Thanks!
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.