EPSS
Percentile
74.6%
controlled-merge is vulnerable to prototype pollution. Lack of validation allows an attacker to inject arbitrary properties into __proto__ or constructor to crash the application and potentially obtain remote code execution.
__proto__
constructor
github.com/hlfshell/controlled-merge/commit/5a4b2e9ffe5a0be7f8843d4ab038599d3ae5f9d4
github.com/hlfshell/controlled-merge/pull/3
www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28268