CVE-2018-3723: Prototype Pollution in defaults-deep
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62845%
CWE
Published
7/26/2018
Updated
9/12/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
defaults-deep | npm | < 0.2.4 | 0.2.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the recursive merging logic in the 'copy' helper function. Before the patch in 0.2.4, this function didn't check for 'proto' property when iterating over object keys. Attackers could craft objects containing 'proto' properties that would be merged into the target object, modifying the prototype chain. The commit c873f34 explicitly adds a check for 'proto' in this function, confirming this was the vulnerable code path. The CWE-471 classification and vulnerability description both align with this prototype pollution vector through recursive object merging.