Prototype Pollution
Description
This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A type confusion in set-value versions before 2.0.1 and 3.0.0 to <4.0.1 allows bypassing a previous prototype pollution fix when keys are arrays.
Vulnerability
The set-value npm package is vulnerable to a type confusion flaw in versions before 2.0.1 and in the 3.x branch before 4.0.1 [1], [4]. When the user-supplied keys used in the path parameter are arrays, the library incorrectly handles type assertions that were intended to prevent prototype pollution. This effectively bypasses the fix applied for CVE-2019-10747, allowing prototype pollution to occur again [1].
Exploitation
An attacker can trigger the vulnerability by providing a specially crafted property path as an array argument to the set() function. No special network position or prior authentication is required if an application passes unvalidated user input directly to set-value. The library does not adequately check the types of array elements, enabling the attacker to inject properties like __proto__ or constructor [2], [4].
Impact
Successful exploitation results in prototype pollution, where properties are injected into the global object prototype (Object.prototype) [3], [4]. This can lead to remote code execution if the polluted properties affect the application's logic, or denial of service through unexpected exceptions. The attacker may also tamper with application behavior across all objects inheriting from the polluted prototype [3].
Mitigation
Fixed versions are 2.0.1 and 4.0.1, released alongside the disclosure of this vulnerability [1], [2]. Users should upgrade to these versions immediately. No known workarounds exist; applications must not pass unvalidated user input to set-value. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
set-valuenpm | >= 4.0.0, < 4.0.1 | 4.0.1 |
set-value-nugetNuGet | < 2.0.0 | 2.0.0 |
set-valuenpm | < 2.0.1 | 2.0.1 |
set-valuenpm | >= 3.0.0, < 3.0.3 | 3.0.3 |
Affected products
3- set-value/set-valuedescription
- ghsa-coords2 versions
>= 4.0.0, < 4.0.1+ 1 more
- (no CPE)range: >= 4.0.0, < 4.0.1
- (no CPE)range: < 2.0.0
Patches
309c4b108fea3back port patch for 4.0.1
2 files changed · +13 −0
index.js+4 −0 modified@@ -99,6 +99,10 @@ function createKey(pattern, options) { } function isValidKey(key) { + if (typeof key !== 'string' && typeof key !== 'number') { + key = String(key); + } + return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; }
test.js+9 −0 modified@@ -210,3 +210,12 @@ describe('options', function() { assert.equal(o.a['{b.c.d}'].e, 'c'); }); }); + +describe('patches', function() { + it('should not allow setting an unsafe key', function() { + const o = {}; + assert.equal({}.foo, undefined); + set(o, [['__proto__'], 'foo'], 'bar'); + assert.equal({}.foo, undefined); + }); +});
1 file changed · +2 −2
package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "set-value", - "version": "4.0.0", + "version": "4.0.1", "description": "Set nested properties on an object using dot notation.", "license": "MIT", "repository": "jonschlinkert/set-value", @@ -122,4 +122,4 @@ "update" ] } -} \ No newline at end of file +}
cb12f14955ddensure only valid keys are used
1 file changed · +5 −1
index.js+5 −1 modified@@ -25,7 +25,7 @@ module.exports = function(obj, prop, val) { return obj; } - var keys = split(prop, {sep: '.', brackets: true}); + var keys = split(prop, {sep: '.', brackets: true}).filter(isValidKey); var len = keys.length; var idx = -1; var current = obj; @@ -49,3 +49,7 @@ module.exports = function(obj, prop, val) { return obj; }; + +function isValidKey(key) { + return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-4jqc-8m5r-9rprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23440ghsaADVISORY
- github.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245ghsaWEB
- github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452ghsax_refsource_MISCWEB
- github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31adghsaWEB
- github.com/jonschlinkert/set-value/pull/33ghsax_refsource_MISCWEB
- github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296aghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-SETVALUE-1540541ghsax_refsource_MISCWEB
- www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2ghsaWEB
- www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/mitrex_refsource_MISC
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.