Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY2cmgtOGZ3Ni01OXE2
assign-deep Vulnerable to Prototype Pollution
Versions of assign-deep prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The assign function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
Recommendation
Upgrade to versions 1.0.1, 0.4.8, or later.
Permalink: https://github.com/advisories/GHSA-66rh-8fw6-59q6JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY2cmgtOGZ3Ni01OXE2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 5 years ago
Updated: almost 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-66rh-8fw6-59q6, CVE-2019-10745
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10745
- https://snyk.io/vuln/SNYK-JS-ASSIGNDEEP-450211
- https://www.npmjs.com/advisories/1014
- https://github.com/jonschlinkert/assign-deep/commit/8e3cc4a34246733672c71e96532105384937e56c
- https://github.com/jonschlinkert/assign-deep/commit/90bf1c551d05940898168d04066bbf15060f50cc
- https://github.com/advisories/GHSA-66rh-8fw6-59q6
Blast Radius: 26.9
Affected Packages
npm:assign-deep
Dependent packages: 193Dependent repositories: 3,841
Downloads: 211,290 last month
Affected Version Ranges: = 1.0.0, < 0.4.8
Fixed in: 1.0.1, 0.4.8
All affected versions: 0.1.0, 0.1.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 1.0.0
All unaffected versions: 0.4.8, 1.0.1