Severity: moderate

    Prototype Pollution

    merge-deep

    Overview

    merge-deep before 3.0.3 can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

    Remediation

    Upgrade to version 3.0.3 or later

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Jun 7th, 2021
    2. reported

      Reported by Anonymous
      Jun 7th, 2021