CVE-2018-3752
CRITICALmerge-options <= 1.0.0 - Prototype Pollution via Utilities Function
Title source: llmDescription
The utilities function in all versions <= 1.0.0 of the merge-options node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/311336
Scores
CVSS v3
9.8
EPSS
0.0143
EPSS Percentile
69.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (2)
merge-options_project/merge-options
< 1.0.0
npm/merge-options
0 - 1.0.1npm
Published
Jul 03, 2018
Tracked Since
Feb 18, 2026