@instana/core is vulnerable to Prototype Pollution
59
Medium Risk
The deepMerge utility in @instana/core (packages/core/src/util/deepMerge.js) recursively merges source objects into a target without filtering dangerous property keys. When a source object contains keys such as __proto__, constructor, or prototype (for example from JSON.parse of attacker-influenced input), the recursive merge writes onto Object.prototype, polluting every object in the runtime. This can enable application logic manipulation, property injection, and potential escalation depending on the consuming application. The fix updates deepMerge to skip these unsafe keys during the merge.
You are affected if you are using a version that falls within the vulnerable range.
@instana/core is vulnerable to Prototype Pollution in versions 1.63.2 - 6.2.1.
Upgrade the @instana/core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant