CVE-2023-26106

The dot-lens package, a fast dot-notation lens for JavaScript objects, is vulnerable to Prototype Pollution through its set() function in index.js. The function allows setting nested properties but does not properly validate keys such as __proto__, constructor, or prototype, enabling an attacker to pollute the Object prototype [1][3].

To exploit this vulnerability, an attacker must control the path argument passed to set(), often via user input. By crafting a path like __proto__.polluted, the set() function recursively assigns values to Object.prototype, causing all objects to inherit the polluted property [2].

Successful exploitation can result in denial of service by triggering JavaScript exceptions or, depending on application logic, lead to remote code execution through property definition by path [2]. The ability to alter the prototype chain can change application behavior in unintended ways.

As of March 2023, no patch is available for this vulnerability [1]. Users are advised to avoid passing untrusted input to the set() function, or to use alternative libraries with proper validation to prevent Prototype Pollution [2][4].