CVE-2022-31106
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-31106
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31106.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-31106
- Aliases
-
- GHSA-8j79-hfj5-f2xm
- Published
- 2022-06-28T17:30:14Z
- Modified
- 2025-12-04T10:23:56.915945Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- Prototype Pollution in underscore.deep
- Details
-
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of
underscore.deepprior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and pass it todeepFromFlat, which would pollute any future Objects created. Any users that havedeepFromFlatordeepPick(due to its dependency ondeepFromFlat) in their code should upgrade to version 0.5.3 as soon as possible. Users unable to upgrade may mitigate this issue by modifyingdeepFromFlatto prevent specific keywords which will prevent this from happening. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-1321", "CWE-915" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31106.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31106.json
- https://github.com/Clever/underscore.deep/commit/b5e109ad05b48371be225fa4d490dd08a94e8ef7
- https://github.com/Clever/underscore.deep/security/advisories/GHSA-8j79-hfj5-f2xm
- https://nvd.nist.gov/vuln/detail/CVE-2022-31106