Description
The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.
Remediation
References
https://github.com/Geta/NestedObjectAssign/pull/11
https://snyk.io/vuln/SNYK-JS-NESTEDOBJECTASSIGN-1065977
Related Vulnerabilities
CVE-2021-44145 Vulnerability in maven package org.apache.nifi:nifi
CVE-2021-23369 Vulnerability in npm package handlebars
CVE-2021-23337 Vulnerability in maven package org.webjars.bower:lodash
CVE-2021-44906 Vulnerability in maven package org.webjars.bowergithub.substack:minimist
CVE-2023-46233 Vulnerability in maven package org.webjars.bower:crypto-js