Описание
assign-deep Vulnerable to Prototype Pollution
Versions of assign-deep prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The assign function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
Recommendation
Upgrade to versions 1.0.1, 0.4.8, or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-10745
- https://github.com/jonschlinkert/assign-deep/commit/8e3cc4a34246733672c71e96532105384937e56c
- https://github.com/jonschlinkert/assign-deep/commit/90bf1c551d05940898168d04066bbf15060f50cc
- https://snyk.io/vuln/SNYK-JS-ASSIGNDEEP-450211
- https://www.npmjs.com/advisories/1014
Пакеты
Наименование
assign-deep
npm
Затронутые версииВерсия исправления
< 0.4.8
0.4.8
Наименование
assign-deep
npm
Затронутые версииВерсия исправления
= 1.0.0
1.0.1
Связанные уязвимости
CVSS3: 7.5
nvd
больше 6 лет назад
assign-deep is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using either a constructor or a _proto_ payload.