Miggo Logo
Miggo Vulnerability Database
CVE-2021-26707

CVE-2021-26707:
Prototype pollution in Merge-deep

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-26707
GHSA ID
GHSA-r6rj-9ch6-g264
EPSS Score
0.72538%
CWE
CWE-1321
Published
6/7/2021
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
merge-deepnpm< 3.0.33.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient key validation in the merge function. The pre-patch code only checked for 'proto' but didn't block 'constructor' and 'prototype' keys. The security advisory explicitly mentions these vectors, and the commit 11e5dd5 fixes this by adding an isValidKey check that includes these forbidden keys. The merge function's property iteration logic in index.js was the entry point for prototype pollution attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** m*r**-***p li*r*ry ***or* *.*.* *or No**.js **n ** tri*k** into ov*rwritin* prop*rti*s o* O*j**t.prototyp* or ***in* n*w prop*rti*s to it. T**s* prop*rti*s *r* t**n in**rit** *y *v*ry o*j**t in t** pro*r*m, t*us ***ilit*tin* prototyp*-pollution *

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt k*y v*li**tion in t** m*r** *un*tion. T** pr*-p*t** *o** only ****k** *or '__proto__' *ut *i*n't *lo*k '*onstru*tor' *n* 'prototyp*' k*ys. T** s**urity **visory *xpli*itly m*ntions t**s* v**tors, *n* t** *omm