@75lb/deep-merge is vulnerable to Prototype Pollution
56
Medium Risk
@75lb/deep-merge deep-merges the values of one object into another using a lodash assignWith customiser that recurses into every own property of the source. When the source is produced by JSON.parse, __proto__ is a real own enumerable property, so the customiser merges into it and writes through to Object.prototype. Untrusted input passed into the merge can therefore pollute the global object prototype, corrupting application logic and enabling denial of service or further escalation. The fix adds a guard that refuses to merge into __proto__, constructor, and prototype keys.
You are affected if you are using a version that falls within the vulnerable range and your application merges untrusted input, such as parsed JSON, into an object.
@75lb/deep-merge is vulnerable to Prototype Pollution in versions 1.0.0 - 1.1.3.
Upgrade the @75lb/deep-merge library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant