Prototype Pollution Vulnerability in Node.js Library Merge-Deep
CVE-2021-26707

9.8CRITICAL

Key Information:

Vendor

Merge-deep Project

Status
Merge-deep
Vendor
CVE Published:
2 June 2021

What is CVE-2021-26707?

The merge-deep library for Node.js, prior to version 3.0.3, is susceptible to a prototype pollution vulnerability. This flaw allows an attacker to manipulate the Object.prototype, enabling unauthorized overwriting of existing properties or the addition of new ones. As a result, these changes are inherited by all objects created thereafter, potentially enabling various attacks against applications that utilize this library. This vulnerability presents significant risks to application integrity by allowing malicious actors to inject or corrupt data structures.

References

https://www.npmjs.com/package/merge-deep
x_refsource_MISC
https://github.com/jonschlinkert/merge-deep/commit/11e5dd...
x_refsource_MISC
https://securitylab.github.com/advisories/GHSL-2020-160-m...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.