High severityNVD Advisory· Published Feb 4, 2022· Updated Sep 17, 2024

Prototype Pollution

CVE-2021-23507

Description

The object-path-set package before 1.0.2 allows prototype pollution via the setPath method due to an incomplete fix, enabling attackers to pollute object prototypes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The object-path-set package before 1.0.2 allows prototype pollution via the setPath method due to an incomplete fix, enabling attackers to pollute object prototypes.

Vulnerability

The object-path-set package before version 1.0.2 is vulnerable to Prototype Pollution via the setPath method. The vulnerability arises from an incomplete fix for a previous prototype pollution issue (SNYK-JS-OBJECTPATHSET-607908) [2]. The isValidKey function only blocked the strings __proto__, constructor, and prototype but did not check the type of the key, allowing an attacker to bypass the filter by passing a non-string key (e.g., an array) [1][4]. This allows merging of object prototypes into the target object.

Exploitation

An attacker can exploit this by providing a crafted path argument to the setPath function where the key is not a string (e.g., an array containing __proto__ or constructor). Since the validation only checks for exact string matches, a non-string key bypasses the filter [1][4]. The attacker does not require authentication or special privileges; they only need to control the input to the setPath function, which is commonly used in applications that set nested object properties.

Impact

Successful exploitation leads to Prototype Pollution, allowing the attacker to inject properties into the global Object.prototype. This can result in denial of service (via JavaScript exceptions), tampering with application logic, or potentially remote code execution if the polluted properties affect code paths [3]. The impact depends on how the application uses the polluted object.

Mitigation

The vulnerability is fixed in version 1.0.2 of object-path-set, released on 2022-01-30 [4]. The fix adds a type check to ensure the key is a string before validating against the blocked keys [4]. Users should upgrade to version 1.0.2 or later. No workaround is available; updating the package is the recommended mitigation.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
object-path-setnpm	< 1.0.2	1.0.2

Affected products

object-path-set/object-path-setdescription
ghsa-coords
pkg:npm/object-path-set
Range: < 1.0.2

Patches

2d67a714159c

fix new prototype pollution vulnerability

https://github.com/skratchdot/object-path-setskratchdotJan 30, 2022via ghsa

commit

4 files changed · +8838 −32

CHANGELOG.md+3 −1 modified

@@ -1,10 +1,12 @@
+## Unreleased (2022-01-30)
+
 ## <small>1.0.1 (2020-07-25)</small>
 
 - add prettier and `npm run build` ([1f34461](https://github.com/skratchdot/object-path-set/commit/1f34461))
 - adding contributors ([5bf6e83](https://github.com/skratchdot/object-path-set/commit/5bf6e83))
 - Bump eslint from 4.18.1 to 4.18.2 ([1756583](https://github.com/skratchdot/object-path-set/commit/1756583))
 - fix prototype pollution vulnerability ([55f06d7](https://github.com/skratchdot/object-path-set/commit/55f06d7))
-- formatting ([6bddc79](https://github.com/skratchdot/object-path-set/commit/6bddc79))
+- formatting ([577f529](https://github.com/skratchdot/object-path-set/commit/577f529))
 - rename tonic to runkit ([9c2f1ea](https://github.com/skratchdot/object-path-set/commit/9c2f1ea))
 - small readme tweaks ([9750b7a](https://github.com/skratchdot/object-path-set/commit/9750b7a))
 - travis runs node 6+ ([ac1969b](https://github.com/skratchdot/object-path-set/commit/ac1969b))

index.js+6 −1 modified

@@ -2,7 +2,12 @@
 
 // https://github.com/jonschlinkert/assign-deep/commit/90bf1c551d05940898168d04066bbf15060f50cc
 var isValidKey = function (key) {
-  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+  return (
+    typeof key === 'string' &&
+    key !== '__proto__' &&
+    key !== 'constructor' &&
+    key !== 'prototype'
+  );
 };
 
 var setPath = function (obj, path, value, delimiter) {

package-lock.json+8815 −24 modified

test.js+14 −6 modified

@@ -6,18 +6,18 @@ var getDefaultObject = function () {
   return {
     nested: {
       thing: {
-        foo: 'bar'
+        foo: 'bar',
       },
       is: {
-        cool: true
-      }
+        cool: true,
+      },
     },
     dataUndefined: undefined,
     dataDate: now,
     dataNumber: 42,
     dataString: 'foo',
     dataNull: null,
-    dataBoolean: true
+    dataBoolean: true,
   };
 };
 
@@ -51,13 +51,13 @@ describe('object-path-set', function () {
     expect(setPath(true, 'a', 42)).toEqual({ a: 42 });
     expect(setPath({ a: 123 }, 'a.b', 42)).toEqual({ a: { b: 42 } });
     expect(setPath(null, 'a.b.c.d', null)).toEqual({
-      a: { b: { c: { d: null } } }
+      a: { b: { c: { d: null } } },
     });
   });
   it('should be able to use custom delimiters', function () {
     expect(setPath({}, 'a|b|c|d', 42)).toEqual({ 'a|b|c|d': 42 });
     expect(setPath({}, 'a|b|c|d', 42, '|')).toEqual({
-      a: { b: { c: { d: 42 } } }
+      a: { b: { c: { d: 42 } } },
     });
     expect(setPath({}, 'a.b.c.d', 42, '|')).toEqual({ 'a.b.c.d': 42 });
   });
@@ -108,6 +108,14 @@ describe('object-path-set', function () {
     expect(obj.polluted).toBeUndefined();
     expect(obj2.polluted).toBeUndefined();
   });
+  it('should not pollute __proto__ when using arrays', function () {
+    var obj = {};
+    expect(obj.polluted).toBeUndefined();
+    setPath(obj, [['__proto__'], 'polluted'], 'yes');
+    var obj2 = {};
+    expect(obj.polluted).toBeUndefined();
+    expect(obj2.polluted).toBeUndefined();
+  });
   it('should not pollute constructor', function () {
     var obj = {};
     expect(obj.polluted).toBeUndefined();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h6pr-c536-6rjgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-23507ghsaADVISORY
github.com/skratchdot/object-path-set/blob/577f5299fed15bb9edd11c940ff3cf0b9f4748d5/index.js%23L8ghsax_refsource_MISCWEB
github.com/skratchdot/object-path-set/commit/2d67a714159c4099589b6661fa84e6d2adc31761ghsax_refsource_MISCWEB
snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validationghsaWEB
snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation/mitrex_refsource_MISC
snyk.io/vuln/SNYK-JS-OBJECTPATHSET-2388576ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000