Prototype Pollution
Affecting merge package, versions <1.2.1
Overview
merge is used to merge multiple objects into one object.
Affected versions of this package are vulnerable to Prototype Pollution via the merge.recursive
function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Remediation
Upgrade merge
to version 1.2.1 or higher.
References
Do your applications use this vulnerable package?
CVSS Score
2.0
low severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredHigh
-
User InteractionRequired
-
ScopeUnchanged
-
ConfidentialityNone
-
IntegrityNone
-
AvailabilityLow
- Credit
- asgerf
- CVE
- CVE-2018-16469
- CWE
- CWE-400
- Snyk ID
- SNYK-JS-MERGE-72553
- Disclosed
- 28 Sep, 2018
- Published
- 04 Nov, 2018