Description

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Related CPE's

a

merge-deep_project

merge-deep

*

*

*

*

*

node.js

Vulnerable

a

netapp

e-series_performance_analyzer

-

Vulnerable

References

https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5

PatchThird Party Advisory

https://security.netapp.com/advisory/ntap-20210716-0008/

Third Party Advisory

https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/

Third Party Advisory

https://www.npmjs.com/package/merge-deep

ProductThird Party Advisory

https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5

PatchThird Party Advisory

https://security.netapp.com/advisory/ntap-20210716-0008/

Third Party Advisory

https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/

Third Party Advisory

https://www.npmjs.com/package/merge-deep

ProductThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-1321

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2021-06-02T13:15:07.787Z

4 years ago

Last modified

2024-11-21T04:56:42.723Z

1 year ago