GHSA-r6rj-9ch6-g264
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r6rj-9ch6-g264
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-r6rj-9ch6-g264/GHSA-r6rj-9ch6-g264.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-r6rj-9ch6-g264
- Aliases
- Published
- 2021-06-07T22:09:26Z
- Modified
- 2023-11-01T04:54:52.083983Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Prototype pollution in Merge-deep
- Details
-
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.
- Database specific
{ "nvd_published_at": "2021-06-02T15:15:00Z", "cwe_ids": [ "CWE-1321" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2021-06-03T21:48:51Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-26707
- https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5
- https://security.netapp.com/advisory/ntap-20210716-0008
- https://securitylab.github.com/advisories/GHSL-2020-160-merge-deep
- https://www.npmjs.com/package/merge-deep
Affected packages
npm / merge-deep
Package
- Name
- merge-deep
- View open source insights on deps.dev
- Purl
- pkg:npm/merge-deep