CVE-2019-10745

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions assign-deep versions prior to 0.4.8 assign-deep versions prior to 1.0.1

Description The issue allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. This is due to the assign function failing to validate which Object properties it updates. The function could be tricked into adding or modifying properties of Object.prototype using either a constructor or a proto payload.

Recommendations For versions prior to 0.4.8, upgrade to version 0.4.8 or later. For versions prior to 1.0.1, upgrade to version 1.0.1 or later.

Exploit

Fix

Prototype Pollution

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321CWE-20CWE-915

Related Identifiers

CVE-2019-10745

GHSA-66RH-8FW6-59Q6

SNYK-JS-ASSIGNDEEP-450211

Affected Products

Assign-Deep

CVE-2019-10745

Weakness Enumeration

Related Identifiers

Affected Products

References · 8