CVE-2021-25944

Name of the Vulnerable Software and Affected Versions deep-defaults versions 1.0.0 through 1.0.5

Description The issue allows an attacker to cause a denial of service and may lead to remote code execution due to a prototype pollution vulnerability in the 'deep-defaults' module. The deepDefaults() function does not check the type of object before assigning a value to a property, which can be abused by an attacker to create non-existent properties or manipulate existing ones. This can be achieved by supplying a malicious value to the src argument, including the proto property, allowing the pollution of the Object prototype.

Recommendations For deep-defaults versions 1.0.0 through 1.0.5, consider disabling the deepDefaults() function until a patch is available to prevent potential exploitation. Restrict the use of the deep-defaults module to minimize the risk of denial of service or remote code execution. Avoid using the src argument with untrusted input in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.