Severity: low

Prototype pollution

merge

Overview

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

Remediation

Update to version 1.2.1 or later.

Resources

Advisory timeline

  1. Created

    2018-11-05T17:04:20.221Z
  2. Updated

    2018-11-05T17:04:20.221Z