Skip to content

Prototype Pollution in lutils-merge

Moderate severity GitHub Reviewed Published Jun 13, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm lutils-merge (npm)

Affected versions

<= 0.2.6

Patched versions

None

Description

All versions of lutils-merge are vulnerable to Prototype Pollution. The merge() function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.

Recommendation

The package is deprecated and no fixes are available. Consider using an alternative package.

References

Reviewed Jun 13, 2019
Published to the GitHub Advisory Database Jun 13, 2019
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-f7qw-5pvg-mmwp

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.