What is CVE-2021-26707?

CVE-2021-26707 is a vulnerability in the merge-deep library for Node.js that allows for prototype-pollution attacks.

What is the severity of CVE-2021-26707?

CVE-2021-26707 has a severity rating of 9.8, which is classified as critical.

Which software is affected by CVE-2021-26707?

The merge-deep library before version 3.0.3 for Node.js and Netapp E-series Performance Analyzer are affected by CVE-2021-26707.

How can CVE-2021-26707 be exploited?

CVE-2021-26707 can be exploited by tricking the merge-deep library into overwriting properties of Object.prototype or adding new properties to it.

How can I fix CVE-2021-26707?

To fix CVE-2021-26707, it is recommended to update the merge-deep library to version 3.0.3 or later.

Vulnerability/
CVE-2021-26707

critical

9.8

CWE

1321

2/6/2021

7/6/2021

3/8/2024

CVE-2021-26707

First published: Wed Jun 02 2021(Updated: )

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Merge-deep Project Merge-deep	<3.0.3
Netapp E-series Performance Analyzer
npm/merge-deep	<3.0.3	3.0.3

Remedy

https://github.com/jonschlinkert/merge-deep/commit/11e5dd56de8a6aed0b1ed022089dbce6968d82a5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-26707?
CVE-2021-26707 is a vulnerability in the merge-deep library for Node.js that allows for prototype-pollution attacks.
What is the severity of CVE-2021-26707?
CVE-2021-26707 has a severity rating of 9.8, which is classified as critical.
Which software is affected by CVE-2021-26707?
The merge-deep library before version 3.0.3 for Node.js and Netapp E-series Performance Analyzer are affected by CVE-2021-26707.
How can CVE-2021-26707 be exploited?
CVE-2021-26707 can be exploited by tricking the merge-deep library into overwriting properties of Object.prototype or adding new properties to it.
How can I fix CVE-2021-26707?
To fix CVE-2021-26707, it is recommended to update the merge-deep library to version 3.0.3 or later.

collector/nvd-index
collector/github-advisory-latest
alias/GHSA-r6rj-9ch6-g264
alias/CVE-2021-26707
collector/nvd-cve
collector/github-advisory
agent/author
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/remedy
agent/last-modified-date
agent/severity
agent/weakness
agent/event
agent/tags
agent/first-publish-date
agent/description
agent/trending
vendor/merge-deep project
canonical/merge-deep project merge-deep
vendor/netapp
canonical/netapp e-series performance analyzer
package-manager/npm

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.