CWE-1321

pathval before version 1.1.1 is vulnerable to prototype pollution.

This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.

In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

All versions of phpjs are vulnerable to Prototype Pollution via parse_str.

madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.