Description
The utilities function in all versions <= 1.0.0 of the merge-options node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Remediation
References
https://hackerone.com/reports/311336
Related Vulnerabilities
CVE-2020-11969 Vulnerability in maven package org.apache.tomee:openejb-lite
CVE-2021-34084 Vulnerability in npm package s3-uploader
CVE-2021-26543 Vulnerability in npm package git-parse
CVE-2020-8186 Vulnerability in npm package devcert
CVE-2021-42357 Vulnerability in maven package org.apache.knox:gateway-service-knoxsso