Source: node-dottie Version: 2.0.6+~2.0.5-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-dottie. CVE-2026-27837[0]: | Dottie provides nested object access and manipulation in JavaScript. | Versions 2.0.4 through 2.0.6 contain an incomplete fix for | CVE-2023-26132. The prototype pollution guard introduced in commit | `7d3aee1` only validates the first segment of a dot-separated path, | allowing an attacker to bypass the protection by placing `__proto__` | at any position other than the first. Both `dottie.set()` and | `dottie.transform()` are affected. Version 2.0.7 contains an updated | fix to address the residual vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27837 https://www.cve.org/CVERecord?id=CVE-2026-27837 [1] https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w [2] https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
