CVE-2026-43896

A flaw was found in jq, a command line JSON processor. The jvobjectmergerecursive function, reachable via the operator when both operands are objects, does not have a depth limit when processing nested objects. This missing depth limit allows an attacker who can supply a sufficiently nested input...

EUVD-2018-0453

Malware in sbrugna...

merge package denial of service vulnerability

The merge package is a package for merging multiple objects into one. A security vulnerability exists in the 'merge.recursive' function in merge package versions prior to 1.2. An attacker can exploit this vulnerability to cause a denial of service...

GHSA-F9CM-QMX5-M98H Prototype Pollution in merge

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype. Recommendation Update to version 1.2.1 or later...

UBUNTU-CVE-2018-16469

The merge.recursive function in the merge package 1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack...

Prototype Pollution

Overview All versions of merge-recursive are vulnerable to Prototype Pollution. When malicious user input is merged with another object it allows the attacker to modify the prototype of Object via proto causing the addition or modification of an existing property. Proof of concept: var merge =...

Prototype Pollution in merge-recursive

All versions of merge-recursive are vulnerable to Prototype Pollution. When malicious user input is merged with another object it allows the attacker to modify the prototype of Object via proto causing the addition or modification of an existing property. Proof of concept: js var merge =...

GHSA-CVXM-F295-X957 Prototype Pollution in merge-recursive

All versions of merge-recursive are vulnerable to Prototype Pollution. When malicious user input is merged with another object it allows the attacker to modify the prototype of Object via proto causing the addition or modification of an existing property. Proof of concept: js var merge =...

1.11week (=1.0.0), 4.23zhoukao (=1.0.0) +144 more potentially affected by CVE-2018-3751 via merge-recursive (>=0.0.0 <=0.0.3)

merge-recursive NPM version =0.0.0, =1.1.0-beta.28, =0.0.6, =1.0.9, =1.0.4, =1.0.5, =1.2.0, =0.3.4, =0.2.5, =0.1.0, =0.2.3 and more Source cves: CVE-2018-3751 Source advisory: OSV:GHSA-CVXM-F295-X957...

CVE-2018-3751

The utilities function in all versions = 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all...

Code injection

The utilities function in all versions = 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all...

CVE-2018-3751

The utilities function in all versions = 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all...

CVE-2018-3751

The utilities function in all versions = 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all...

CVE-2018-3751

The CVE-2018-3751 cases document a Prototype Pollution flaw in the Node.js module merge-recursive (versions

Prototype Pollution

merge-recursive is vulnerable to prototype pollution attacks. The vulnerability exists in the utility function where the prototype of Object can be overwritten to add or modify existing property on all objects...

Node.js third-party modules: Prototype pollution attack (merge-recursive)

As discussed in 309391, here's the separate report for each of the library. This one is the information for the merge-recursive library. Module: merge-recursive Summary: Utilities function in all the listed modules can be tricked into modifying the prototype of "Object" when the attacker control...