Platform
nodejs
Component
set-value
Fixed in
2.0.2
2.0.1
CVE-2019-10747 describes a Prototype Pollution vulnerability affecting versions of set-value prior to 3.0.1 or 2.0.1. This vulnerability allows attackers to modify the prototype of the JavaScript Object class, potentially leading to unexpected behavior and security compromises. Affected versions include those before 2.0.1 and 3.0.1, and a fix is available in versions 2.0.1 and 3.0.1.
Prototype Pollution is a dangerous vulnerability because it allows attackers to inject properties into the base Object.prototype. This means any object created subsequently inherits these malicious properties, effectively poisoning the entire object hierarchy within a JavaScript application. An attacker could, for example, add a property to Object.prototype that intercepts sensitive data or modifies the behavior of built-in functions. This can lead to denial of service, information disclosure, or even remote code execution depending on how the application utilizes the polluted prototype. The impact is particularly severe in applications that heavily rely on dynamic object creation or serialization/deserialization, as the pollution can propagate silently and affect a wide range of components.
This vulnerability was publicly disclosed on August 27, 2019. While no active exploitation campaigns have been definitively linked to CVE-2019-10747 specifically, Prototype Pollution vulnerabilities are generally considered high-risk due to their potential for widespread impact. It is not listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease with which this vulnerability can be triggered.
Exploit Status
EPSS
0.50% (66% percentile)
CVSS Vector
The primary mitigation for CVE-2019-10747 is to upgrade to set-value version 2.0.1 or 3.0.1 or later. If an immediate upgrade is not feasible, consider implementing input validation and sanitization to prevent malicious data from being passed to the set function. While not a complete solution, this can reduce the attack surface. Additionally, consider using a Web Application Firewall (WAF) with rules to detect and block attempts to manipulate the Object.prototype. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual object property modifications in your application's logs is recommended.
Update the set-value dependency to version 3.0.1 or later. This corrects the Prototype Pollution vulnerability. Run `npm install set-value@latest` or `yarn upgrade set-value@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-10747 is a CRITICAL Prototype Pollution vulnerability in set-value versions before 2.0.1 or 3.0.1, allowing attackers to modify the Object prototype and impact all objects.
You are affected if you are using set-value versions prior to 2.0.1 or 3.0.1. Check your project dependencies to determine if you are vulnerable.
Upgrade to set-value version 2.0.1 or 3.0.1 or later. If immediate upgrade isn't possible, implement input validation.
While no specific campaigns are confirmed, Prototype Pollution vulnerabilities are high-risk and public exploits exist, so vigilance is advised.
Refer to the set-value project's repository and related security advisories for detailed information: https://github.com/yahoo/set-value
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.