PT-2022-9397 · Npm · @Generates/Merger+1
Dung Le
·
Published
2022-07-25
·
Updated
2022-08-01
·
CVE-2021-23397
CVSS v3.1
5.6
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
@ianwalter/merge versions all
Description
The issue concerns Prototype Pollution via the main (
merge) function. The maintainer suggests using @generates/merger instead, as @ianwalter/merge is deprecated.Recommendations
For all versions, consider using @generates/merger as a replacement, as suggested by the maintainer, until a patch is available for @ianwalter/merge. As a temporary workaround, consider avoiding the use of the
merge function in @ianwalter/merge to minimize the risk of exploitation.Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Generates/Merger
@Ianwalter/Merge