Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI2cmotOWNoNi1nMjY0
Prototype pollution in Merge-deep
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.
Permalink: https://github.com/advisories/GHSA-r6rj-9ch6-g264JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI2cmotOWNoNi1nMjY0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.0061
EPSS Percentile: 0.78509
Identifiers: GHSA-r6rj-9ch6-g264, CVE-2021-26707
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26707
- https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5
- https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep/
- https://www.npmjs.com/package/merge-deep
- https://security.netapp.com/advisory/ntap-20210716-0008/
- https://github.com/advisories/GHSA-r6rj-9ch6-g264
Blast Radius: 58.5
Affected Packages
npm:merge-deep
Dependent packages: 352Dependent repositories: 924,707
Downloads: 3,787,508 last month
Affected Version Ranges: < 3.0.3
Fixed in: 3.0.3
All affected versions: 0.1.0, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.1, 2.0.2, 3.0.0, 3.0.1, 3.0.2
All unaffected versions: 3.0.3