GHSA-f7qw-5pvg-mmwp

Опубликовано: 13 июн. 2019

Источник: github

Github: Прошло ревью

CVSS3: 7.3

Описание

Prototype Pollution in lutils-merge

All versions of lutils-merge are vulnerable to Prototype Pollution. The merge() function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.

Recommendation

The package is deprecated and no fixes are available. Consider using an alternative package.

Ссылки

https://github.com/nfour/lutils-merge/issues/1
https://hackerone.com/reports/439107
https://snyk.io/vuln/SNYK-JS-LUTILSMERGE-174783
https://www.npmjs.com/advisories/893

Пакеты

Наименование

lutils-merge

npm

Затронутые версииВерсия исправления

<= 0.2.6

Отсутствует

7.3 High

CVSS3

Дефекты

CWE-400

7.3 High

CVSS3

Дефекты

CWE-400