Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBqeHctMjJ4Zi02cHdj
Prototype Pollution in defaults-deep
All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects.
Recommendation
As no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.
Permalink: https://github.com/advisories/GHSA-pjxw-22xf-6pwcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBqeHctMjJ4Zi02cHdj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 5 years ago
Updated: 8 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pjxw-22xf-6pwc, CVE-2018-16486
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16486
- https://hackerone.com/reports/380878
- https://github.com/advisories/GHSA-pjxw-22xf-6pwc
- https://www.npmjs.com/advisories/778
Affected Packages
npm:defaults-deep
Dependent packages: 42Dependent repositories: 3,475
Downloads: 276,558 last month
Affected Version Ranges: <= 0.2.4
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4