Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY2cmgtOGZ3Ni01OXE2

High EPSS: 0.00235% (0.46497 Percentile) EPSS:
Permalink JSON

assign-deep Vulnerable to Prototype Pollution

Affected Packages Affected Versions Fixed Versions
npm:assign-deep
PURL: pkg:npm/assign-deep
= 1.0.0, < 0.4.8 1.0.1, 0.4.8
193 Dependent packages
3,841 Dependent repositories
257,955 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 0.1.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 1.0.0

All unaffected versions

0.4.8, 1.0.1

Versions of assign-deep prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The assign function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Recommendation

Upgrade to versions 1.0.1, 0.4.8, or later.

References:

Identifiers

GHSA-66rh-8fw6-59q6

CVE-2019-10745

Risk

Severity

High

EPSS

EPSS Percentage: 0.00235

EPSS Percentile: 0.46497

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jonschlinkert/assign-deep

Date and time

Published

about 6 years ago

Updated

almost 3 years ago

API

JSON