Do your applications use this vulnerable package?
Test your applications
Overview
merge is used to merge multiple objects into one object.
Affected versions of this package are vulnerable to Prototype Pollution via the merge.recursive
function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Remediation
Upgrade merge
to version 1.2.1 or higher.
References
CVSS Score
2.0
low severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredHigh
-
User InteractionRequired
-
ScopeUnchanged
-
ConfidentialityNone
-
IntegrityNone
-
AvailabilityLow
- Credit
- asgerf
- CVE
- CVE-2018-16469
- CWE
- CWE-400
- Snyk ID
- SNYK-JS-MERGE-72553
- Disclosed
- 28 Sep, 2018
- Published
- 04 Nov, 2018