The utilities function in all versions <= 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
References
Link | Resource |
---|---|
https://hackerone.com/reports/311337 | Exploit Issue Tracking Third Party Advisory |
https://hackerone.com/reports/311337 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
21 Nov 2024, 04:06
Type | Values Removed | Values Added |
---|---|---|
References | () https://hackerone.com/reports/311337 - Exploit, Issue Tracking, Third Party Advisory |
Information
Published : 2018-07-03 21:29
Updated : 2024-11-21 04:06
NVD link : CVE-2018-3751
Mitre link : CVE-2018-3751
CVE.ORG link : CVE-2018-3751
JSON object : View
Products Affected
umbraengineering
- merge-recursive
CWE
CWE-20
Improper Input Validation