CVE-2024-36582 – @alexbinary/object-deep-assign

Package

Manager: npm
Name: @alexbinary/object-deep-assign
Vulnerable Version: >=0 <=1.0.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00142 pctl0.34978

Details

object-deep-assign Prototype Pollution alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)

Metadata

Created: 2024-06-17T15:30:54Z
Modified: 2024-06-17T21:37:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-4xg3-7w7q-856q/GHSA-4xg3-7w7q-856q.json
CWE IDs: []
Alternative ID: GHSA-4xg3-7w7q-856q
Finding: F390
Auto approve: 1