Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-9w5f-mw3p-pj47

HIGH

Prototype Pollution(PP) vulnerability in setByPath

Also known asCVE-2023-45827
Published
Nov 3, 2023
Updated
Nov 8, 2023
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
1.2%probability of exploitation in next 30 days
Lower Risk63th percentile-9.03%
0.00%4.30%8.61%12.9%8.4%1.2%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
📦@clickbar/dot-diver

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Summary

There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE.

Details

//https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277

// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
  objectToSet[lastKey] = value

In this code, there is no validation for Prototpye Pollution.

PoC

import { getByPath, setByPath } from '@clickbar/dot-diver'

console.log({}.polluted); // undefined
setByPath({},'constructor.prototype.polluted', 'foo');
console.log({}.polluted); // foo

Impact

It is Prototype Pollution(PP) and it can leads to Dos, RCE, etc.

Credits

Team : NodeBoB

최지혁 ( Jihyeok Choi )

이동하 ( Lee Dong Ha of ZeroPointer Lab )

강성현    ( kang seonghyeun )

박성진    ( sungjin park )

김찬호    ( Chanho Kim )

이수영    ( Lee Su Young )

김민욱    ( MinUk Kim )

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npm@clickbar/dot-diverall versions1.0.2

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @clickbar/dot-diver. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @clickbar/dot-diver to 1.0.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-9w5f-mw3p-pj47 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-9w5f-mw3p-pj47 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-9w5f-mw3p-pj47. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE. ### Details ```javascript //https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277 // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access objectToSet[lastKey] = value ``` In this code, there is no validation for Prototpye Pollution. ### PoC ```javascript import { getByPath, setByPath } from '@clickbar/dot-diver' console.log({}.polluted); // undefined setByPath({},'constructor.prototype.polluted', 'foo'); console.log({}.polluted); // foo ``` ### Impact It is Prototype
O3 Security · Impact-Aware SCA

Is GHSA-9w5f-mw3p-pj47 in your dependencies?

O3 detects GHSA-9w5f-mw3p-pj47 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works