Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqNHctNWZ3NC1ybTI3
Prototype Pollution in deeply
Versions of deeply
prior to 1.0.1 are vulnerable to Prototype Pollution. The package fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
Recommendation
Upgrade to version 3.1.0 or later.
Permalink: https://github.com/advisories/GHSA-8j4w-5fw4-rm27JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqNHctNWZ3NC1ybTI3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00659
EPSS Percentile: 0.79885
Identifiers: GHSA-8j4w-5fw4-rm27, CVE-2019-10750
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10750
- https://snyk.io/vuln/SNYK-JS-DEEPLY-451026
- https://www.npmjs.com/advisories/1030
- https://github.com/advisories/GHSA-8j4w-5fw4-rm27
Affected Packages
npm:deeply
Dependent packages: 26Dependent repositories: 28,397
Downloads: 4,816 last month
Affected Version Ranges: < 3.1.0
Fixed in: 3.1.0
All affected versions: 0.1.0, 1.0.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 3.0.0
All unaffected versions: 3.1.0