Description
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
Published: 2026-02-11
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Prototype pollution potentially enabling arbitrary code execution or privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in the npm package set-in (>=2.0.1, <2.0.5) and allows an attacker to pollute Object.prototype by supplying a crafted input that uses Array.prototype. The flaw is a prototype pollution weakness (CWE-1321) that can be exploited to alter built‑in prototypes, creating a foundation for subsequent attacks such as arbitrary code execution, malicious data manipulation, or privilege escalation. The impact is high because modifying Object.prototype affects every object in the JavaScript runtime, potentially compromising all code that runs in that process.

Affected Systems

The affected vendor is ahdinosaur and the product is set-in, a Node.js utility for setting nested values in objects. Vulnerable versions include any release in the range 2.0.1 through 2.0.4. Projects that depend on these package versions, either directly or indirectly, are at risk. The fix is provided in version 2.0.5 and later.

Risk and Exploitability

With a CVSS score of 9.4 the vulnerability is rated critical, while the EPSS score of less than 1% indicates a low current exploitation probability but that could change as attackers develop payloads. The vulnerability is not listed in the CISA KEV catalog. Attackers could invoke the flaw remotely by providing specially crafted input to set-in, such as an array payload that includes offending keys, thereby polluting prototypes in a running application. The flaw’s remote nature means that any service receiving untrusted data through set-in could be compromised if not patched.

Generated by OpenCVE AI on April 17, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the set-in package to version 2.0.5 or later.
  • Audit the dependency tree to identify and replace indirect uses of set-in that fall within the vulnerable range.
  • As a temporary safeguard, validate all keys passed to set-in and reject array inputs or other constructs that could trigger prototype pollution.

Generated by OpenCVE AI on April 17, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2c4m-g7rx-63q7 set-in Affected by Prototype Pollution
History

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Set-in Project
Set-in Project set-in
CPEs cpe:2.3:a:set-in_project:set-in:*:*:*:*:*:*:*:*
Vendors & Products Set-in Project
Set-in Project set-in
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ahdinosaur
Ahdinosaur set-in
Vendors & Products Ahdinosaur
Ahdinosaur set-in

Wed, 11 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
Title Prototype pollution in set-in
Weaknesses CWE-1321
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Ahdinosaur Set-in
Set-in Project Set-in
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:16:04.618Z

Reserved: 2026-02-09T21:36:29.554Z

Link: CVE-2026-26021

cve-icon Vulnrichment

Updated: 2026-02-12T21:15:58.717Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T22:15:52.077

Modified: 2026-02-13T21:43:27.900

Link: CVE-2026-26021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses