Miggo Logo

CVE-2022-25907: ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.41996%
Published
8/10/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ts-deepmergenpm< 2.0.22.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the merge function in src/index.ts handling 'proto' keys without sanitization. The GitHub commit shows the fix added a PROTECTED_KEYS check to explicitly skip 'proto' during merging. The added test case demonstrates that prior to this fix, merging objects with 'proto' properties would pollute the prototype. This directly matches CWE-1321 (Prototype Pollution) and the advisory's description of missing sanitization in the merge function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** ts-***pm*r** ***or* v*rsion *.*.* is vuln*r**l* to Prototyp* Pollution *u* to missin* s*nitiz*tion o* t** `m*r**` *un*tion.

Reasoning

T** vuln*r**ility st*ms *rom t** m*r** *un*tion in sr*/in**x.ts **n*lin* '__proto__' k*ys wit*out s*nitiz*tion. T** *it*u* *ommit s*ows t** *ix ***** * PROT**T**_K*YS ****k to *xpli*itly skip '__proto__' *urin* m*r*in*. T** ***** t*st **s* **monstr*t