EIQ-2019-0005#

ID

EIQ-2019-0005

CVE

CVE-2018-16469

Description

merge.recursive enables prototype pollution

Date

05 Feb 2019

Severity

3 - HIGH

CVSSv3 score

7.5

Status

✅ 2.3.4

Assessment

The merge.recursive function in the merge package versions 1.2.0 and earlier make it possible for an attacker to add or modify object prototype properties.

Modified properties are propagated through inheritance to all objects, which can result in a denial of service attack.

Mitigation

Update to merge 1.2.1 or later.

Affected versions

2.1.0 to 2.3.3 included.

Notes

For more information, see: