PT-2019-12025 · Deeply · Deeply

Published

2019-08-23

Updated

2019-10-08

CVE-2019-10750

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions deeply versions prior to 3.1.0 deeply versions prior to 1.0.1

Description The issue concerns Prototype Pollution. The assign-deep function in deeply can be tricked into adding or modifying properties of Object.prototype using a proto payload. This is due to the package's failure to validate which Object properties it updates, allowing attackers to modify the prototype of Object. This can cause the addition or modification of an existing property on all objects.

Recommendations For versions prior to 1.0.1, upgrade to version 3.1.0 or later. For versions prior to 3.1.0, upgrade to version 3.1.0 or later.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2019-10750

GHSA-8J4W-5FW4-RM27

SNYK-JS-DEEPLY-451026

Affected Products

Deeply

PT-2019-12025 · Deeply · Deeply

CVE-2019-10750

Weakness Enumeration

Related Identifiers

Affected Products

References · 5