CVE-2018-3753

CRITICAL

merge-object < 1.0.0 - Prototype Pollution via Utilities Function

Title source: llm
STIX 2.1

Description

The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/310706

Scores

CVSS v3 9.8
EPSS 0.0143
EPSS Percentile 69.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (2)
merge-object_project/merge-object < 1.0.0
npm/merge-object 0npm
Published Jul 03, 2018
Tracked Since Feb 18, 2026