forge.util.setPath had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.
The forge.util.setPath API and related functions were removed in 0.10.0.
Don't call forge.util.setPath directly or indirectly with untrusted keys.
If you have any questions or comments about this advisory:
| Software | From | Fixed in |
|---|---|---|
digitalbazaar / node-forge
|
- | 0.10.0 |