Description
The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.
Remediation
References
https://github.com/Geta/NestedObjectAssign/pull/11
https://snyk.io/vuln/SNYK-JS-NESTEDOBJECTASSIGN-1065977
Related Vulnerabilities
CVE-2018-1000536 Vulnerability in npm package medis
CVE-2018-3754 Vulnerability in npm package query-mysql
CVE-2022-25758 Vulnerability in maven package org.webjars.npm:scss-tokenizer
CVE-2022-24999 Vulnerability in maven package org.webjars.npm:qs
CVE-2023-22461 Vulnerability in npm package @mattkrick/sanitize-svg