Prototype Pollution in defaults-deep #445
Labels
Auto Create Issues
Label for Auto Created Issues
Critical
This label for Security Severity only
do-not-autoclose
Make bot can't close an Issues or PRs
Security
Label for Security Issues
Milestone
Comments
TheKingTermux
added
do-not-autoclose
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects.
Recommendation
As no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.
Severity Check
Severity Number
9.8 / 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Tags
Runtime dependency
Weaknesses
WeaknessCWE-345
WeaknessCWE-400
CVE ID
CVE-2018-16486
GHSA ID
GHSA-pjxw-22xf-6pwc
Information
Package
defaults-deep (npm)
Affected versions
<= 0.2.4
Patched version
None
References
https://nvd.nist.gov/vuln/detail/CVE-2018-16486
https://hackerone.com/reports/380878
GHSA-pjxw-22xf-6pwc
https://www.npmjs.com/advisories/778
The text was updated successfully, but these errors were encountered: