CVE-2018-3753: Prototype Pollution in async merge-object
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.55516%
CWE
Published
9/18/2018
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
merge-object | npm | <= 1.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The advisory explicitly mentions the 'utilities function' in merge-object as vulnerable. In JS object merge utilities, the primary function is typically named 'merge'.
- Prototype Pollution vulnerabilities commonly occur in recursive merge functions that don't validate if a property key is a prototype pointer.
- The module's purpose is object merging, making the core merge function the logical attack surface.
- While source code isn't available, the vulnerability pattern matches standard prototype pollution in merge operations where 'proto' keys are not blocked during property assignment.