CVE-2021-23470
HIGHputil-merge < 3.8.0 - Prototype Pollution via Malicious Constructor Property
Title source: llmDescription
This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-PUTILMERGE-2391487
Patch, Third Party Advisory x_refsource_misc
https://github.com/panates/putil-merge/commit/476d00078dfb2827d7c9ee0f2392c81b864f7bc5
Scores
CVSS v3
8.2
EPSS
0.0125
EPSS Percentile
65.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Details
CWE
CWE-1321
Status
published
Products (2)
npm/putil-merge
0 - 3.8.0npm
putil-merge_project/putil-merge
< 3.8.0
Published
Feb 04, 2022
Tracked Since
Feb 18, 2026