Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
According to GitHub Dependabot, used versions of
axios
anddexie
are vulnerable https://github.com/reyesoft/ngx-jsonapi/blob/6a50dc5c5489cfa1eb40a80e0b2c0bf771924917/package.json#L154-L155Dexie: Affected versions: < 3.2.2 Patched version: 3.2.2
Axios: Affected versions: >= 0.8.1, < 1.6.0 Patched version: 1.6.0
Please upgrade these dependencies.