scim-patch is vulnerable to Prototype Pollution
43
Medium Risk
scim-patch blocks direct dangerous path segments such as __proto__, constructor, and prototype, but navigate() and assign() still treat inherited properties as existing when resolving SCIM patch paths. An attacker who controls a SCIM PATCH operation can use a path like toString.polluted to mutate shared built-in method objects such as Object.prototype.toString, adding attacker-controlled properties process-wide. The impact is narrower than direct Object.prototype pollution but still leaks into any application logic that reads properties from inherited methods. The fix switches to own-property checks via Object.prototype.hasOwnProperty.call so only own keys are traversed and inherited built-ins are no longer mutated.
You are affected if you are using a version that falls within the vulnerable range.
scim-patch is vulnerable to Prototype Pollution in versions 0.9.1 - 0.9.1.
Upgrade the scim-patch library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant