Prototype Pollution Affecting merge package, versions <1.2.1
Snyk CVSS
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Threat Intelligence
Exploit Maturity
Mature
EPSS
0.11% (45th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-MERGE-72553
- published 4 Nov 2018
- disclosed 28 Sep 2018
- credit asgerf
Introduced: 28 Sep 2018
CVE-2018-16469 Open this link in a new tabHow to fix?
Upgrade merge
to version 1.2.1 or higher.
Overview
merge is used to merge multiple objects into one object.
Affected versions of this package are vulnerable to Prototype Pollution via the merge.recursive
function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.