CVE-2021-26707 – merge-deep

Package

Manager: npm
Name: merge-deep
Vulnerable Version: >=0 <3.0.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0109 pctl0.77099

Details

Prototype pollution in Merge-deep The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Metadata

Created: 2021-06-07T22:09:26Z
Modified: 2021-06-16T19:58:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-r6rj-9ch6-g264/GHSA-r6rj-9ch6-g264.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-r6rj-9ch6-g264
Finding: F390
Auto approve: 1