ahdinosaur/set-in

ahdinosaur/set-in

Releases8

Frequency1 year 6 months

Last Release 4 months ago

Stars4

set value of nested associative structure given array of keys

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-26021 ↗	Feb 11, 2026Wednesday, 11 February 2026, 22:15	9.8 CRITICAL	—
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
CVE-2022-25354 ↗	Mar 17, 2022Thursday, 17 March 2022, 12:15	8.6 HIGH	7.5 HIGH
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. Note: This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)
CVE-2020-28273 ↗	Dec 2, 2020Wednesday, 2 December 2020, 15:15	9.8 CRITICAL	7.5 HIGH
Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.