9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-3753

GHSA ID

GHSA-fp82-2h99-3fpp

EPSS Score

0.55516%

CWE

CWE-20

Published

9/18/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-3753

CVE-2018-3753:
Prototype Pollution in async merge-object

The utilities function in all versions of the merge-object node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

(GitHub Advisory)

9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-3753

GHSA ID

GHSA-fp82-2h99-3fpp

EPSS Score

0.55516%

CWE

CWE-20

Published

9/18/2018

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
merge-object	npm	<= 1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory explicitly mentions the 'utilities function' in merge-object as vulnerable. In JS object merge utilities, the primary function is typically named 'merge'.
Prototype Pollution vulnerabilities commonly occur in recursive merge functions that don't validate if a property key is a prototype pointer.
The module's purpose is object merging, making the core merge function the logical attack surface.
While source code isn't available, the vulnerability pattern matches standard prototype pollution in merge operations where 'proto' keys are not blocked during property assignment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** utiliti*s *un*tion in *ll v*rsions o* t** m*r**-o*j**t no** mo*ul* **n ** tri*k** into mo*i*yin* t** prototyp* o* O*j**t w**n t** *tt**k*r **n *ontrol p*rt o* t** stru*tur* p*ss** to t*is *un*tion. T*is **n l*t *n *tt**k*r *** or mo*i*y *xistin*

Reasoning

*. T** **visory *xpli*itly m*ntions t** 'utiliti*s *un*tion' in m*r**-o*j**t *s vuln*r**l*. In JS o*j**t m*r** utiliti*s, t** prim*ry *un*tion is typi**lly n*m** 'm*r**'. *. Prototyp* Pollution vuln*r**iliti*s *ommonly o**ur in r**ursiv* m*r** *un*ti

9.8

Basic Information

Concerned about an active attack path?

CVE-2018-3753: Prototype Pollution in async merge-object

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-3753:
Prototype Pollution in async merge-object

Vulnerability Intelligence
Miggo AI