Description
The utilities function in all versions <= 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Remediation
References
https://hackerone.com/reports/311337
Related Vulnerabilities
CVE-2022-21126 Vulnerability in maven package com.github.samtools:htsjdk
CVE-2021-41184 Vulnerability in npm package jquery-ui
CVE-2021-21193 Vulnerability in maven package org.webjars.npm:electron
CVE-2020-28268 Vulnerability in npm package controlled-merge
CVE-2024-36401 Vulnerability in maven package org.geoserver.web:gs-web-app