PT-2026-42530 · Npm · @Theecryptochad/Merge-Guard
Publicado
2026-05-11
·
Atualizado
2026-05-11
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Summary
@theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge() function. An attacker who controls the source object can inject proto keys that mutate Object.prototype, affecting all objects in the Node.js runtime.Details
The
deepMerge() function recursively merges two objects without sanitizing reserved property keys (proto, constructor, prototype). When a source object contains a proto key, its value is assigned to target. proto , which JavaScript engines interpret as a write to Object.prototype.Proof of Concept
js
const { deepMerge } = require('@theecryptochad/merge-guard');
const payload = JSON.parse('{" proto ":{"isAdmin":true}}');
deepMerge({}, payload);
console.log({}.isAdmin); // true — Object.prototype is pollutedImpact
Any application using
deepMerge() with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto Object.prototype, enabling privilege escalation, application logic bypass, and property injection.Remediation
Upgrade to
@theecryptochad/merge-guard >= 1.0.1, which adds an explicit blocklist:js
const BLOCKED = new Set([' proto ', 'constructor', 'prototype']);
if (BLOCKED.has(key)) continue;References
- CWE-1321: Improper Neutralization of Special Elements in Object Keys
- [OWASP: Prototype Pollution](https://owasp.org/www-community/attacks/Prototype Pollution)
- Fix commit
Correção
Prototype Pollution
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
@Theecryptochad/Merge-Guard