EIQ-2019-0005
ID |
EIQ-2019-0005 |
CVE |
|
Description |
merge.recursive enables prototype pollution |
Date |
05 Feb 2019 |
Severity |
3 - HIGH |
CVSSv3 score |
7.5 |
Status |
2.3.4 |
Assessment |
The merge.recursive function in the merge package versions 1.2.0 and earlier make it possible for an attacker to add or modify object prototype properties. Modified properties are propagated through inheritance to all objects, which can result in a denial of service attack. |
Mitigation |
Update to merge 1.2.1 or later. |
Affected versions |
2.1.0 to 2.3.3 included. |
Notes |
For more information, see: |
< Back to all security issues and mitigation actions
In release notes 2.3.3
In release notes 2.3.4