Prototype Pollution
Description
The dset package is vulnerable to Prototype Pollution in 'dset/merge' mode, allowing attackers to bypass sanitization checks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The dset package is vulnerable to Prototype Pollution in 'dset/merge' mode, allowing attackers to bypass sanitization checks.
Vulnerability
All versions of the dset package (npm) are vulnerable to Prototype Pollution when using the dset/merge mode. The dset function attempts to prevent prototype pollution by validating that the top-level path does not contain __proto__, constructor, or prototype. However, a crafted object can bypass this check by nesting these sensitive keys deeper in the path, leading to pollution of Object.prototype [1][3].
Exploitation
An attacker can exploit this vulnerability by providing a malicious object that, when merged via dset/merge, sets properties on the global Object.prototype. The attacker does not require authentication or special privileges; the vulnerability is triggered if the application merges untrusted user input into an object using the merge mode [3][4].
Impact
Successful exploitation results in Prototype Pollution, which can cause denial of service (via property shadowing or exceptions) or lead to remote code execution if the application's logic relies on properties inherited from Object.prototype. The exact impact depends on how the application uses the polluted properties [3].
Mitigation
As of the latest release, no patch has been published for this vulnerability. Users should avoid using dset/merge with untrusted data and consider switching to the default dset mode, which is not vulnerable to this bypass. Monitor the GitHub repository [2] for future updates. If using the web Java archive (org.webjars.npm:dset), similar workarounds apply [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dsetnpm | < 3.1.2 | 3.1.2 |
org.webjars.npm:dsetMaven | < 3.1.2 | 3.1.2 |
Affected products
3- dset/dsetdescription
- ghsa-coords2 versions
< 3.1.2+ 1 more
- (no CPE)range: < 3.1.2
- (no CPE)range: < 3.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The dset function fails to properly sanitize input during the merge operation, allowing for prototype pollution."
Attack vector
An attacker can exploit this vulnerability by crafting a malicious object that bypasses the existing checks for '__proto__', 'constructor', or 'prototype' within the top-level path. This crafted object is then passed to the dset function in 'merge' mode. Successful exploitation allows the attacker to modify the prototype of Object.prototype, leading to prototype pollution [ref_id=1].
Affected code
The vulnerability exists in the 'dset/merge' mode of the dset package. Specifically, the dset function at 'src/merge.js#L9' is responsible for handling the merge operation and contains checks that can be bypassed [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on remediation. However, it indicates that the vulnerability is related to the 'dset/merge' mode and the function's handling of prototype pollution checks [ref_id=1]. The fix would likely involve strengthening the input validation to prevent the modification of object prototypes.
Preconditions
- inputThe attacker must provide a specially crafted object as input to the dset function.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.