GHSA-297x-8xj4-vcxv

Source
https://github.com/advisories/GHSA-297x-8xj4-vcxv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-297x-8xj4-vcxv/GHSA-297x-8xj4-vcxv.json
Aliases
Published
2022-05-24T17:11:32Z
Modified
2023-11-08T04:04:14.259926Z
Details

The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

References

Affected packages

npm / dot

Package

Name
dot

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.1.3

Database specific

{
    "last_known_affected_version_range": "<= 1.1.2"
}