PT-2018-16172 · Node · Merge-Recursive

Holyvier

Published

2018-07-03

Updated

2018-09-18

CVE-2018-3751

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions merge-recursive versions <= 0.3.0

Description The issue allows an attacker to modify the prototype of Object, enabling the addition or modification of existing properties that will exist on all objects. This can occur when the attacker controls part of the structure passed to the utilities function in the merge-recursive node module. The vulnerability can be exploited when malicious user input is merged with another object, allowing the attacker to modify the prototype of Object via proto.

Recommendations For merge-recursive versions <= 0.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-3751

GHSA-CVXM-F295-X957

Affected Products

Merge-Recursive

PT-2018-16172 · Node · Merge-Recursive

CVE-2018-3751

Weakness Enumeration

Related Identifiers

Affected Products

References · 6