VYPR
← All advisories
High severityNVD Advisory· Published Jun 24, 2022· Updated Sep 17, 2024

Prototype Pollution

CVE-2022-21231

Description

All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. Note: This vulnerability derives from an incomplete fix of CVE-2020-7715

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

All versions of deep-get-set npm package are vulnerable to prototype pollution via the deep function.

Vulnerability

The deep-get-set package (all versions) is vulnerable to Prototype Pollution via the deep function [1][2]. The deep function allows setting and getting values on objects using dot-notation strings. This vulnerability derives from an incomplete fix of CVE-2020-7715 [1].

Exploitation

An attacker can provide a crafted path like __proto__ or constructor.prototype to pollute the object prototype [2]. This can be achieved without authentication if the application processes user-supplied path strings [2].

Impact

Successful exploitation can lead to prototype pollution, potentially resulting in remote code execution, denial of service, or property injection that alters application behavior [2].

Mitigation

As of the available references, no patch has been released. The package repository appears to be archived [3]. Users should consider avoiding the use of deep-get-set or implementing strict input sanitization and validation for path strings.

References
  1. NVD - CVE-2022-21231
  2. Snyk Vulnerability Database | Snyk
  3. GitHub - acstll/deep-get-set: Set and get values on objects via dot-notation strings.

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
deep-get-setnpm
<= 1.1.1

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.