PT-2018-16174 · Node · Merge-Objects

Holyvier

Published

2018-07-03

Updated

2018-09-18

CVE-2018-3753

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions merge-objects node module versions <= 1.0.0

Description The utilities function in the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Recommendations For merge-objects node module versions <= 1.0.0, consider restricting the use of the utilities function until a patch is available, or ensure that the structure passed to this function is thoroughly validated to prevent manipulation by an attacker.

Exploit

Fix

Prototype Pollution

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321CWE-20

Related Identifiers

CVE-2018-3753

GHSA-FP82-2H99-3FPP

Affected Products

Merge-Objects

PT-2018-16174 · Node · Merge-Objects

CVE-2018-3753

Weakness Enumeration

Related Identifiers

Affected Products

References · 4