Description

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Related CPE's

a

merge-deep_project

merge-deep

*

*

*

*

*

node.js

Vulnerable

a

netapp

e-series_performance_analyzer

-

Vulnerable

References

https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5

PatchThird Party Advisory

https://security.netapp.com/advisory/ntap-20210716-0008/

Third Party Advisory

https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/

Third Party Advisory

https://www.npmjs.com/package/merge-deep

ProductThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-1321

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-06-02T15:15:07.787

4 years ago

Last modified

2022-12-02T19:37:32.077

2 years ago