CVE-2018-3753
CRITICALmerge-object < 1.0.0 - Prototype Pollution via Utilities Function
Title source: llmDescription
The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/310706
Scores
CVSS v3
9.8
EPSS
0.0143
EPSS Percentile
69.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (2)
merge-object_project/merge-object
< 1.0.0
npm/merge-object
0npm
Published
Jul 03, 2018
Tracked Since
Feb 18, 2026