Description

The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.

Remediation

References

https://github.com/Geta/NestedObjectAssign/pull/11

https://snyk.io/vuln/SNYK-JS-NESTEDOBJECTASSIGN-1065977

Related Vulnerabilities

CVE-2019-10791 Vulnerability in npm package promise-probe

CVE-2020-5258 Vulnerability in npm package dojo

CVE-2021-25945 Vulnerability in npm package js-extend

CVE-2023-24998 Vulnerability in maven package commons-fileupload:commons-fileupload

CVE-2023-40809 Vulnerability in maven package org.opencrx:opencrx-core-models

Severity

Critical

Classification

CWE-1321

Tags

Exploit Patch Third Party Advisory