Security Vulnerability: CVE-2023-26139 underscore-keypath Prototype Pollution

[mdwekat]

Description

I have identified a security vulnerability in one of the dependencies used by user-agents v1.0.1444. The dependency underscore-keypath is vulnerable to Prototype Pollution, as described in CVE-2023-26139.

Details

• Affected Version: user-agents v1.0.1444
• Vulnerable Dependency: underscore-keypath
• CVE: CVE-2023-26139
• Impact: Prototype Pollution can allow an attacker to inject arbitrary properties into existing objects. This can lead to various types of security vulnerabilities such as bypassing security checks or potentially unauthorized execution of code.

Steps to Reproduce

1. Install the user-agents package using npm with the version v1.0.1444.
2. Run npm audit in the project directory.

Thank you for your attention to this matter.

[modestfake]

There seems to be a PR #59 that should fix this issue.