GHSA-gm9g-2g8v-fvxj – upmerge

Package

Manager: npm
Name: upmerge
Vulnerable Version: >=0 <=0.1.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Prototype Pollution in upmerge All versions of `upmerge` are vulnerable to Prototype Pollution. The merge() function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution. ## Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.

Metadata

Created: 2019-06-06T15:32:28Z
Modified: 2021-09-16T20:59:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-gm9g-2g8v-fvxj/GHSA-gm9g-2g8v-fvxj.json
CWE IDs: ["CWE-345", "CWE-400"]
Alternative ID: N/A
Finding: F067
Auto approve: 1