GHSA-2m96-9w4j-wgv7

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Prototype Pollution in lodash.merge

Versions of lodash.merge before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.6.1 or later.

Ссылки

https://www.npmjs.com/advisories/1067

Пакеты

Наименование

lodash.merge

npm

Затронутые версииВерсия исправления

< 4.6.1

4.6.1

Дефекты

CWE-1321

Дефекты

CWE-1321