Holyvier

**Name of the Vulnerable Software and Affected Versions** merge-objects node module versions <= 1.0.0 **Description** The utilities function in the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. **Recommendations** For merge-objects node module versions <= 1.0.0, consider restricting the use of the utilities function until a patch is available, or ensure that the structure passed to this function is thoroughly validated to prevent manipulation by an attacker.

**Name of the Vulnerable Software and Affected Versions** deap node module versions prior to 1.0.1 **Description** The issue allows an attacker to modify the prototype of Object when they can control part of the structure passed to the utilities function. This can enable an attacker to add or modify existing properties that will exist on all objects. **Recommendations** For versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** deep-extend versions <= 0.5.0 **Description** The issue allows an attacker to modify the prototype of Object when they can control part of the structure passed to the utilities function. This can enable an attacker to add or modify existing properties that will exist on all objects. **Recommendations** Update to version 0.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** merge-recursive versions <= 0.3.0 **Description** The issue allows an attacker to modify the prototype of Object, enabling the addition or modification of existing properties that will exist on all objects. This can occur when the attacker controls part of the structure passed to the utilities function in the merge-recursive node module. The vulnerability can be exploited when malicious user input is merged with another object, allowing the attacker to modify the prototype of Object via ` proto `. **Recommendations** For merge-recursive versions <= 0.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** default-deep versions prior to 0.2.4 **Description** The issue allows a malicious user to modify the prototype of `Object` via ` proto `, causing the addition or modification of an existing property that will exist on all objects. This is due to a Modification of Assumed-Immutable Data (MAID) vulnerability. **Recommendations** Update to version 0.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** mixin-deep versions prior to 1.3.1 **Description** The issue allows a malicious user to modify the prototype of `Object` via ` proto `, causing the addition or modification of an existing property that will exist on all objects. This is achieved through prototype pollution via merging functions. **Recommendations** Update to version 1.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** assign-deep versions prior to 0.4.7 **Description** The issue allows a malicious user to modify the prototype of `Object` via ` proto `, causing the addition or modification of an existing property that will exist on all objects. This is achieved through prototype pollution via merging functions. **Recommendations** Update to version 0.4.7 or later.

**Name of the Vulnerable Software and Affected Versions** lodash versions prior to 4.17.5 **Description** The issue allows a malicious user to modify the prototype of `Object` via ` proto `, causing the addition or modification of an existing property that will exist on all objects. This is achieved through the `defaultsDeep`, `merge`, and `mergeWith` functions. **Recommendations** Update to version 4.17.5 or later. As a temporary workaround, consider avoiding the use of the `defaultsDeep`, `merge`, and `mergeWith` functions until a patch is applied. Restrict access to these functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** merge-deep versions prior to 3.0.1 **Description** The issue allows a malicious user to modify the prototype of `Object` via ` proto `, causing the addition or modification of an existing property that will exist on all objects. This is achieved through prototype pollution via merging functions. **Recommendations** Update to version 3.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** hoek versions prior to 4.2.1 hoek versions 5.0.x prior to 5.0.3 **Description** The issue affects the `merge` and `applyToDefaults` functions in the hoek node module, allowing a malicious user to modify the prototype of "Object" via ` proto `. This can lead to the addition or modification of an existing property that will exist on all objects, potentially causing a denial of service. The vulnerability can be exploited when an unvalidated payload containing the ` proto ` property is provided to the affected functions. **Recommendations** Update to version 4.2.1 or later. Update to version 5.0.3 or later.