修正版
3.0.1
CVE-2018-3722 describes a prototype pollution vulnerability affecting versions of the merge-deep Node.js package before 3.0.1. Prototype pollution occurs when an attacker can modify the prototype of built-in JavaScript objects, potentially leading to unexpected application behavior or denial-of-service. Updating to version 3.0.1 or later resolves this issue.
Prototype pollution vulnerabilities are insidious because they can silently alter the behavior of JavaScript applications. An attacker exploiting CVE-2018-3722 could inject malicious properties into the prototypes of core JavaScript objects like Object.prototype, Array.prototype, or String.prototype. This could lead to unexpected application behavior, data corruption, or even remote code execution if the polluted prototype is used in a critical part of the application. The impact is particularly severe in applications that rely heavily on dynamic object manipulation or serialization/deserialization.
CVE-2018-3722 was publicly disclosed on July 26, 2018. While no active exploitation campaigns have been definitively linked to this specific CVE, prototype pollution vulnerabilities are generally considered a high-risk concern due to their potential for widespread impact. There are publicly available proof-of-concept exploits demonstrating the feasibility of prototype pollution attacks.
Applications built with Node.js that use the merge-deep package are at risk. This includes web applications, backend services, and command-line tools that rely on this package for object merging. Projects using older versions of Node.js that may have inherited this dependency through transitive dependencies are also potentially affected.
• nodejs / server:
npm list merge-deepIf the output shows a version less than 3.0.1, the system is vulnerable. • nodejs / server:
npm audit merge-deepThis command will identify vulnerabilities in your project's dependencies, including CVE-2018-3722.
• nodejs / supply-chain: Examine package.json files for merge-deep versions < 3.0.1 in your project and dependencies.
• nodejs / server: Monitor application logs for unusual object property access or modification patterns that could indicate prototype pollution attempts.
disclosure
エクスプロイト状況
EPSS
0.47% (65% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2018-3722 is to upgrade the merge-deep package to version 3.0.1 or later. If upgrading immediately is not feasible due to compatibility concerns, consider implementing input validation to sanitize data before merging it with objects. This can help prevent malicious properties from being injected into the prototype. While not a complete solution, this can reduce the attack surface. Thoroughly test any changes in a non-production environment before deploying to production.
公式パッチはありません。回避策を確認するか、アップデートを監視してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2018-3722 is a HIGH severity vulnerability in the merge-deep Node.js package, allowing attackers to modify object prototypes and potentially cause denial-of-service or unexpected behavior.
You are affected if you are using a version of merge-deep prior to 3.0.1 in your Node.js project. Check your package.json file and run npm list merge-deep to verify.
Upgrade the merge-deep package to version 3.0.1 or later using npm install merge-deep@latest or by updating your package.json file and running npm install.
While no active campaigns have been definitively linked, prototype pollution vulnerabilities are considered high-risk, and public proof-of-concept exploits exist.
Refer to the npm advisory for CVE-2018-3722: https://www.npmjs.com/advisories/791
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。