Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY3cXctNXB2Zy1tbXdw
Prototype Pollution in lutils-merge
All versions of lutils-merge are vulnerable to Prototype Pollution. The merge() function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.
Recommendation
The package is deprecated and no fixes are available. Consider using an alternative package.
Permalink: https://github.com/advisories/GHSA-f7qw-5pvg-mmwpJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY3cXctNXB2Zy1tbXdw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-f7qw-5pvg-mmwp
References:
- https://github.com/nfour/lutils-merge/issues/1
- https://hackerone.com/reports/439107
- https://www.npmjs.com/advisories/893
- https://snyk.io/vuln/SNYK-JS-LUTILSMERGE-174783
- https://github.com/advisories/GHSA-f7qw-5pvg-mmwp
Blast Radius: 3.5
Affected Packages
npm:lutils-merge
Dependent packages: 5Dependent repositories: 3
Downloads: 285 last month
Affected Version Ranges: <= 0.2.6
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6