Object Modification Vulnerability in Merge-Objects Node Module
CVE-2018-3753

9.8CRITICAL

Key Information:

Vendor: Merge-object Project
Status: Merge-object
Vendor: CVE Published:; 3 July 2018

🔔 Create Merge-object Project Vulnerability Alert

What is CVE-2018-3753?

The merge-objects node module, in all versions up to and including 1.0.0, contains a vulnerability in its utilities function. Malicious actors can exploit this flaw by manipulating input structures to modify the Object prototype. This can result in significant security risks, allowing attackers to add or alter properties that affect all objects within the JavaScript environment, leading to unexpected behaviors and potential breaches.

References

https://hackerone.com/reports/310706

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 3, 2018
Vulnerability Reserved
Dec 28, 2017

JSON