CVE-2018-3753

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-3753

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-3753.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-3753

Aliases

GHSA-fp82-2h99-3fpp

Published

2018-07-03T21:29:00.747Z

Modified

2026-03-14T09:29:34.442603Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

References

https://hackerone.com/reports/310706

Affected packages

Git / github.com/faizalpribadi/merge-object

Affected ranges

Type

GIT

Repo

https://github.com/faizalpribadi/merge-object

Events

Introduced

Last affected

343f2668fd2812422229a18f9a8fc7b053074bb2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0"
        }
    ]
}

Affected versions

0.*

0.1.0

1.*

1.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-3753.json"