Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js object-extended module code execution (ID221418)

Summary Potential vulnerabilities in Node.js object-extended module which is caused by a prototype pollution flaw in the deepMerge function.ID221418 has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. Refer to details for additional information. Vulnerability...

Prototype Pollution

ts-deepmerge is vulnerable to pollution prototype. The vulnerability exists because of missing sanitization of the merge parameters in 'src/index.test.ts', allowing an attacker to inject malicious characteristics to add new values to a javascript application object prototype,overwriting or...

@alloyify/anvil (>=1.1.2 <=1.1.4), @alloyify/devkit (>=1.1.2 <=1.1.4) +68 more potentially affected by CVE-2022-25907 via ts-deepmerge (>=1.0.5 <=2.0.1)

ts-deepmerge NPM version =1.0.5, =1.1.2, =1.1.2, =1.1.2, =1.1.2, =0.0.2, =0.2.0, =0.1.1, =2.4.6-alpha.3, =1.1.0, =0.1.0, =0.12.2, =0.0.1, =1.0.0-beta.1, =1.0.6 and more Source cves: CVE-2022-25907 Source advisory: OSV:GHSA-7QQQ-GH2F-WQ76...

ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution

The package ts-deepmerge before version 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the merge function...

GHSA-7QQQ-GH2F-WQ76 ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution

The package ts-deepmerge before version 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the merge function...

CVE-2022-25907

The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function...

CVE-2022-25907

The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function...

CVE-2022-25907

CVE-2022-25907 affects the npm package ts-deepmerge prior to 2.0.2 and is caused by missing sanitization in the merge function, enabling prototype pollution. The vulnerability is described across multiple sources as allowing modification/ contamination of Object.prototype, with potential impact o...

CVE-2022-25907 Prototype Pollution

The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function...

CVE-2022-25907

The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function...

deepmerge-ts 安全漏洞

deepmerge-ts is an npm package. It is used to deep merge 2 or more objects with respect to type information. A security vulnerability exists in versions of deepmerge-ts prior to 2.0.2, which stems from the lack of handling of merge functions and is susceptible to prototype contamination...

PT-2022-17598 · Unknown · Ts-Deepmerge

Name of the Vulnerable Software and Affected Versions: ts-deepmerge versions prior to 2.0.2 Description: The issue is related to Prototype Pollution due to missing sanitization of the merge function. This allows for potential manipulation of the prototype, leading to various security issues...

@alloyify/anvil (>=1.1.2 <=1.1.4), @alloyify/devkit (>=1.1.2 <=1.1.4) +12 more potentially affected by CVE-2022-25907 via ts-deepmerge (=2.0.1)

ts-deepmerge NPM version =2.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on ts-deepmerge and may be impacted: - @alloyify/anvil =1.1.2, =1.1.2, =1.1.2, =1.1.2, =0.0.0-canary-20220330074435, =0.0.0-canary-20220330074435, =5.0.24, =11.1.27, =4.0.22,...

Prototype Pollution

Overview ts-deepmerge is an a deep merge function that automatically infers the return type based on your input, without mutating the source objects. Affected versions of this package are vulnerable to Prototype Pollution due to missing sanitization of the merge function. PoC: js var tsDeepmerge ...

Prototype Pollution

deepmerge-ts is vulnerable to prototype pollution. The vulnerability exists in the defaultMergeRecords function in deepmerge.ts which allows an attacker to inject and execute arbitrary code inside the system...

@arachnodex/core (>=1.0.0 <=1.0.3), @arachnodex/create (>=1.0.0 <=1.0.2) +16 more potentially affected by CVE-2022-24802 via deepmerge-ts (>=1.1.7 <=3.0.1)

deepmerge-ts NPM version =1.1.7, =1.0.0, =1.0.0, =1.0.0, =0.1.3, =1.6.0, =0.2.5, =3.19.0, =1.0.16, =0.1.0, =1.0.1, =1.0.10, =4.0.0, =0.1.0, =0.5.5 and more Source cves: CVE-2022-24802 Source advisory: OSV:GHSA-R9W3-G83Q-M6HQ...

Prototype Pollution in deepmerge-ts

deepmerge-ts is used to merge 2 or more objects respecting type information. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords. A fix was released in version 4.0.2. Currently, there is no known workaround...

GHSA-R9W3-G83Q-M6HQ Prototype Pollution in deepmerge-ts

deepmerge-ts is used to merge 2 or more objects respecting type information. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords. A fix was released in version 4.0.2. Currently, there is no known workaround...

CVE-2022-24802

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords. This issue has been patched in version 4.0.2. There are no known workarounds for this issue...

Design/Logic Flaw

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords. This issue has been patched in version 4.0.2. There are no known workarounds for this issue...