Search for packages
| purl | pkg:npm/dottie@2.0.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-zgdm-kze3-zydf
Aliases: CVE-2026-27837 GHSA-r5mx-6wc6-7h9w |
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-gj21-c7h9-8ub7 | Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file. |
CVE-2023-26132
GHSA-4gxf-g5gf-22h4 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-13T06:26:07.584822+00:00 | GHSA Importer | Fixing | VCID-gj21-c7h9-8ub7 | https://github.com/advisories/GHSA-4gxf-g5gf-22h4 | 38.6.0 |
| 2026-06-12T15:50:54.458193+00:00 | GitLab Importer | Affected by | VCID-zgdm-kze3-zydf | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dottie/CVE-2026-27837.yml | 38.6.0 |
| 2026-06-12T15:46:17.007492+00:00 | GitLab Importer | Fixing | VCID-gj21-c7h9-8ub7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/dottie/CVE-2023-26132.yml | 38.6.0 |
| 2026-06-12T08:00:13.620415+00:00 | GithubOSV Importer | Fixing | VCID-gj21-c7h9-8ub7 | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-4gxf-g5gf-22h4/GHSA-4gxf-g5gf-22h4.json | 38.6.0 |
| 2026-06-11T20:38:23.287536+00:00 | GHSA Importer | Affected by | VCID-zgdm-kze3-zydf | https://github.com/advisories/GHSA-r5mx-6wc6-7h9w | 38.6.0 |