Description

The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.

Remediation

References

https://github.com/Geta/NestedObjectAssign/pull/11

https://snyk.io/vuln/SNYK-JS-NESTEDOBJECTASSIGN-1065977

Related Vulnerabilities

CVE-2020-7704 Vulnerability in npm package linux-cmdline

CVE-2021-41303 Vulnerability in maven package org.apache.shiro:shiro-core

CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-beans

CVE-2022-21186 Vulnerability in npm package @acrontum/filesystem-template

CVE-2023-49374 Vulnerability in maven package com.jfinal:jfinal

Severity

Critical

Classification

CWE-1321

Tags

Exploit Patch Third Party Advisory