HIGHCVE-2018-3722CVSS 8.8

CVE-2018-3722: Prototype Pollution in merge-deep

Platform

nodejs

Component

merge-deep

Fixed in

3.0.1

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026

View on NVD

Save

CVE-2018-3722 describes a prototype pollution vulnerability affecting versions of the merge-deep Node.js package before 3.0.1. Prototype pollution occurs when an attacker can modify the prototype of built-in JavaScript objects, potentially leading to unexpected application behavior or denial-of-service. Updating to version 3.0.1 or later resolves this issue.

Impact and Attack Scenarios

Prototype pollution vulnerabilities are insidious because they can silently alter the behavior of JavaScript applications. An attacker exploiting CVE-2018-3722 could inject malicious properties into the prototypes of core JavaScript objects like Object.prototype, Array.prototype, or String.prototype. This could lead to unexpected application behavior, data corruption, or even remote code execution if the polluted prototype is used in a critical part of the application. The impact is particularly severe in applications that rely heavily on dynamic object manipulation or serialization/deserialization.

Exploitation Context

CVE-2018-3722 was publicly disclosed on July 26, 2018. While no active exploitation campaigns have been definitively linked to this specific CVE, prototype pollution vulnerabilities are generally considered a high-risk concern due to their potential for widespread impact. There are publicly available proof-of-concept exploits demonstrating the feasibility of prototype pollution attacks.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.47% (65% percentile)

CVSS Vector

Affected Software

Componentmerge-deep

Vendorosv

Affected rangeFixed in

—3.0.1

Timeline

Published2018-07-26
Modified2023-11-08
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2018-3722 is to upgrade the merge-deep package to version 3.0.1 or later. If upgrading immediately is not feasible due to compatibility concerns, consider implementing input validation to sanitize data before merging it with objects. This can help prevent malicious properties from being injected into the prototype. While not a complete solution, this can reduce the attack surface. Thoroughly test any changes in a non-production environment before deploying to production.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2018-3722 — Prototype Pollution in merge-deep?

CVE-2018-3722 is a HIGH severity vulnerability in the merge-deep Node.js package, allowing attackers to modify object prototypes and potentially cause denial-of-service or unexpected behavior.

Am I affected by CVE-2018-3722 in merge-deep?

You are affected if you are using a version of merge-deep prior to 3.0.1 in your Node.js project. Check your package.json file and run npm list merge-deep to verify.

How do I fix CVE-2018-3722 in merge-deep?

Upgrade the merge-deep package to version 3.0.1 or later using npm install merge-deep@latest or by updating your package.json file and running npm install.

Is CVE-2018-3722 being actively exploited?

While no active campaigns have been definitively linked, prototype pollution vulnerabilities are considered high-risk, and public proof-of-concept exploits exist.

Where can I find the official merge-deep advisory for CVE-2018-3722?

Refer to the npm advisory for CVE-2018-3722: https://www.npmjs.com/advisories/791