Miggo Logo

CVE-2018-3753: Prototype Pollution in async merge-object

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.55516%
Published
9/18/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
merge-objectnpm<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The advisory explicitly mentions the 'utilities function' in merge-object as vulnerable. In JS object merge utilities, the primary function is typically named 'merge'.
  2. Prototype Pollution vulnerabilities commonly occur in recursive merge functions that don't validate if a property key is a prototype pointer.
  3. The module's purpose is object merging, making the core merge function the logical attack surface.
  4. While source code isn't available, the vulnerability pattern matches standard prototype pollution in merge operations where 'proto' keys are not blocked during property assignment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** utiliti*s *un*tion in *ll v*rsions o* t** m*r**-o*j**t no** mo*ul* **n ** tri*k** into mo*i*yin* t** prototyp* o* O*j**t w**n t** *tt**k*r **n *ontrol p*rt o* t** stru*tur* p*ss** to t*is *un*tion. T*is **n l*t *n *tt**k*r *** or mo*i*y *xistin*

Reasoning

*. T** **visory *xpli*itly m*ntions t** 'utiliti*s *un*tion' in m*r**-o*j**t *s vuln*r**l*. In JS o*j**t m*r** utiliti*s, t** prim*ry *un*tion is typi**lly n*m** 'm*r**'. *. Prototyp* Pollution vuln*r**iliti*s *ommonly o**ur in r**ursiv* m*r** *un*ti