Description

The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.

Remediation

References

https://github.com/Geta/NestedObjectAssign/pull/11

https://snyk.io/vuln/SNYK-JS-NESTEDOBJECTASSIGN-1065977

Related Vulnerabilities

CVE-2020-28453 Vulnerability in npm package npos-tesseract

CVE-2020-19698 Vulnerability in maven package org.webjars.bower:editor.md

CVE-2018-16491 Vulnerability in maven package org.webjars.npm:node.extend

CVE-2023-29201 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

CVE-2021-32853 Vulnerability in npm package erxes

Severity

Critical

Classification

CWE-1321

Tags

Exploit Patch Third Party Advisory