GHSA-4h4x-4m75-47j4

Source

https://github.com/advisories/GHSA-4h4x-4m75-47j4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-4h4x-4m75-47j4/GHSA-4h4x-4m75-47j4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4h4x-4m75-47j4

Aliases

CVE-2024-38985

Published

2025-03-28T21:30:46Z

Modified

2025-03-31T16:24:38.764249Z

Severity

8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P CVSS Calculator

Summary

depath and cool-path vulnerable to Prototype Pollution via `set()` Method

Details

janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Database specific

{
    "nvd_published_at": "2025-03-28T21:15:16Z",
    "cwe_ids": [
        "CWE-1321"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-31T15:56:47Z"
}

References

Affected packages

npm / depath

Package

Name: depath; View open source insights on deps.dev
Purl: pkg:npm/depath

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.6

npm / cool-path

Package

Name: cool-path; View open source insights on deps.dev
Purl: pkg:npm/cool-path

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.1.2