CVE-2022-25907: ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.41996%
CWE
Published
8/10/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ts-deepmerge | npm | < 2.0.2 | 2.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the merge function in src/index.ts handling 'proto' keys without sanitization. The GitHub commit shows the fix added a PROTECTED_KEYS check to explicitly skip 'proto' during merging. The added test case demonstrates that prior to this fix, merging objects with 'proto' properties would pollute the prototype. This directly matches CWE-1321 (Prototype Pollution) and the advisory's description of missing sanitization in the merge function.