First published: Thu Jun 07 2018(Updated: )
merge-deep node module before 3.0.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Merge-deep Project Merge-deep | <3.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-3722 is a vulnerability in the merge-deep node module before version 3.0.1 that is susceptible to prototype pollution via merging functions.
The severity of CVE-2018-3722 is high, with a severity value of 8.8.
CVE-2018-3722 allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
Versions of merge-deep before 3.0.1 are affected by CVE-2018-3722.
To fix CVE-2018-3722, update merge-deep to version 3.0.1 or later.