Prototype Pollution
Description
Prototype pollution in @strikeentco/set before 1.0.2 allows denial of service and may lead to remote code execution via type confusion bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in @strikeentco/set before 1.0.2 allows denial of service and may lead to remote code execution via type confusion bypass.
Vulnerability
The npm package @strikeentco/set prior to version 1.0.2 contains a prototype pollution vulnerability. The vulnerability arises because the library does not properly sanitize input when setting nested properties on an object, allowing an attacker to inject properties into Object.prototype via specially crafted input (e.g., using __proto__ as a key). This issue is an incomplete fix of a previously disclosed vulnerability (SNYK-JS-STRIKEENTCOSET-1038821) [1][2][3][4].
Exploitation
An attacker can exploit this vulnerability by providing an object with a __proto__ key when calling the set function. The library's recursive assignment path will copy the attacker's payload onto the global Object.prototype. No authentication or special network position is required if the application processes user-supplied data through the vulnerable function [1][3].
Impact
Successful exploitation results in prototype pollution, which can cause denial of service (e.g., throwing JavaScript exceptions) and may potentially lead to remote code execution if the polluted properties alter the application's execution path or conditional checks [2][4].
Mitigation
The vulnerability is fixed in version 1.0.2 of @strikeentco/set. Users should upgrade to the patched release immediately. No workaround is available if the library is used in a context where user input is passed to the set function. The incomplete fix that this CVE addresses was originally tracked as SNYK-JS-STRIKEENTCOSET-1038821 [1][2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@strikeentco/setnpm | < 1.0.2 | 1.0.2 |
Affected products
2- @strikeentco/set/@strikeentco/setdescription
Patches
15 files changed · +884 −924
main.js+2 −2 modified@@ -1,9 +1,9 @@ 'use strict'; -/* eslint-disable no-continue */ +/* eslint-disable no-continue, eqeqeq */ const isObject = (val) => typeof val === 'object' || typeof val === 'function'; -const isProto = (val, obj) => val === '__proto__' || (val === 'constructor' && typeof obj.constructor === 'function'); +const isProto = (val, obj) => val == '__proto__' || (val == 'constructor' && typeof obj.constructor === 'function'); const set = (obj, parts, length, val) => { let tmp = obj; let i = 0;
package.json+7 −7 modified@@ -1,7 +1,7 @@ { "name": "@strikeentco/set", "author": "Alexey Bystrov <strikeentco@gmail.com>", - "version": "1.0.1", + "version": "1.0.2", "description": "Set nested values on an object using a dot path or custom separator", "engines": { "node": ">=6.0.0" @@ -50,12 +50,12 @@ "url": "https://github.com/strikeentco/set/issues" }, "devDependencies": { - "eslint": "^7.12.1", - "eslint-config-airbnb": "^18.2.0", - "eslint-plugin-import": "^2.22.1", - "eslint-plugin-jsx-a11y": "^6.4.1", - "eslint-plugin-react": "^7.21.5", - "mocha": "^8.2.0", + "eslint": "^7.32.0", + "eslint-config-airbnb": "^18.2.1", + "eslint-plugin-import": "^2.25.4", + "eslint-plugin-jsx-a11y": "^6.5.1", + "eslint-plugin-react": "^7.28.0", + "mocha": "^8.4.0", "nyc": "^15.1.0", "should": "^13.2.3" },
package-lock.json+861 −915 modifiedtest.js+12 −0 modified@@ -114,6 +114,9 @@ describe('set', () => { set(o, ['constructor', 'b'], 1); should(o.constructor.b).be.eql(undefined); + + set(o, [['constructor'], 'b'], 1); + should(o.constructor.b).be.eql(undefined); }); it('should not indirectly set Object properties', () => { @@ -123,6 +126,9 @@ describe('set', () => { set(o, ['__proto__', 'b'], 1); should(o.b).be.eql(undefined); + + set(o, [['__proto__'], 'b'], 1); + should(o.b).be.eql(undefined); }); it('should not indirectly set Object properties', () => { @@ -133,6 +139,9 @@ describe('set', () => { set(o, ['ob.constructor', 'b'], 1); should(ob.b).be.eql(undefined); + + set(o, [['ob.constructor'], 'b'], 1); + should(ob.b).be.eql(undefined); }); it('should not indirectly set Object properties', () => { @@ -143,5 +152,8 @@ describe('set', () => { set(o, ['ob.__proto__', 'b'], 1); should(ob.b).be.eql(undefined); + + set(o, [['ob.__proto__'], 'b'], 1); + should(ob.b).be.eql(undefined); }); });
.travis.yml+2 −0 modified@@ -1,5 +1,7 @@ language: node_js node_js: + - "16" + - "14" - "12" - "10" before_script:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-39qv-prmh-x37fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23497ghsaADVISORY
- github.com/strikeentco/set/commit/b2f942cghsax_refsource_MISCWEB
- security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821ghsaWEB
- snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validationghsaWEB
- snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation/mitrex_refsource_MISC
- snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-2385945ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.