This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
{
"unresolved_ranges": [
{
"source": "CPE_RANGE",
"vendor_product": "totaljs:total.js",
"extracted_events": [
{
"fixed": "3.4.7"
},
{
"fixed": "3.4.7"
},
{
"fixed": "3.4.7"
}
],
"cpes": [
"cpe:2.3:a:totaljs:total.js:*:*:*:*:*:node.js:*:*"
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"introduced": "total.js"
},
{
"fixed": "3.4.7"
}
]
}
]
}