Description
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.
Remediation
References
https://fluidattacks.com/advisories/heldens/
https://github.com/mattphillips/deep-object-diff
Related Vulnerabilities
CVE-2022-25345 Vulnerability in npm package @discordjs/opus
CVE-2020-7746 Vulnerability in npm package chart.js
CVE-2021-41580 Vulnerability in npm package passport-oauth2
CVE-2023-3691 Vulnerability in maven package org.webjars.bowergithub.layui:layui
CVE-2023-3276 Vulnerability in maven package cn.hutool:hutool-core