merge icon indicating copy to clipboard operation
merge copied to clipboard

Published 20 hours ago verified publisher icon swordev

[vulnerability] All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge

Open ekelvin opened this issue 4 years ago • 3 comments

In absence of a security policy I am creating the issue here. CVE-2020-28499 https://nvd.nist.gov/vuln/detail/CVE-2020-28499#match-6281551

ekelvin avatar Mar 04 '21 00:03 ekelvin

@ekelvin what does the library need to avoid Prototype Pollution completely? this?:

- if (key === '__proto__' || key === 'constructor' || key === 'prototype')
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype' || key === 'toString' || key === 'hasOwnProperty')

matheo avatar May 21 '21 23:05 matheo

Hi @matheo, can you publish your repository in npm registry?

Otherwise, there is this other vulnerability: CVE-2021-23397 (https://nvd.nist.gov/vuln/detail/CVE-2021-23397).

Although I know this vulnerability is about another library but that came up running the dependency check over this merge library!

I don't know if this fix solves the problem

samydavd avatar Apr 03 '23 15:04 samydavd

The CVE (https://github.com/advisories/GHSA-7wpw-2hjm-89gp) says:

  • Affected versions < 2.1.1
  • Patched versions 2.1.1

What is the problem?

juanrgm avatar May 05 '23 17:05 juanrgm