merge-deep
Corrigido em
3.0.1
CVE-2018-3722 describes a prototype pollution vulnerability affecting versions of the merge-deep Node.js package before 3.0.1. Prototype pollution occurs when an attacker can modify the prototype of built-in JavaScript objects, potentially leading to unexpected application behavior or denial-of-service. Updating to version 3.0.1 or later resolves this issue.
Prototype pollution vulnerabilities are insidious because they can silently alter the behavior of JavaScript applications. An attacker exploiting CVE-2018-3722 could inject malicious properties into the prototypes of core JavaScript objects like Object.prototype, Array.prototype, or String.prototype. This could lead to unexpected application behavior, data corruption, or even remote code execution if the polluted prototype is used in a critical part of the application. The impact is particularly severe in applications that rely heavily on dynamic object manipulation or serialization/deserialization.
CVE-2018-3722 was publicly disclosed on July 26, 2018. While no active exploitation campaigns have been definitively linked to this specific CVE, prototype pollution vulnerabilities are generally considered a high-risk concern due to their potential for widespread impact. There are publicly available proof-of-concept exploits demonstrating the feasibility of prototype pollution attacks.
Applications built with Node.js that use the merge-deep package are at risk. This includes web applications, backend services, and command-line tools that rely on this package for object merging. Projects using older versions of Node.js that may have inherited this dependency through transitive dependencies are also potentially affected.
• nodejs / server:
npm list merge-deepIf the output shows a version less than 3.0.1, the system is vulnerable. • nodejs / server:
npm audit merge-deepThis command will identify vulnerabilities in your project's dependencies, including CVE-2018-3722.
• nodejs / supply-chain: Examine package.json files for merge-deep versions < 3.0.1 in your project and dependencies.
• nodejs / server: Monitor application logs for unusual object property access or modification patterns that could indicate prototype pollution attempts.
disclosure
Status do Exploit
EPSS
0.47% (percentil 65%)
Vetor CVSS
The primary mitigation for CVE-2018-3722 is to upgrade the merge-deep package to version 3.0.1 or later. If upgrading immediately is not feasible due to compatibility concerns, consider implementing input validation to sanitize data before merging it with objects. This can help prevent malicious properties from being injected into the prototype. While not a complete solution, this can reduce the attack surface. Thoroughly test any changes in a non-production environment before deploying to production.
Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2018-3722 is a HIGH severity vulnerability in the merge-deep Node.js package, allowing attackers to modify object prototypes and potentially cause denial-of-service or unexpected behavior.
You are affected if you are using a version of merge-deep prior to 3.0.1 in your Node.js project. Check your package.json file and run npm list merge-deep to verify.
Upgrade the merge-deep package to version 3.0.1 or later using npm install merge-deep@latest or by updating your package.json file and running npm install.
While no active campaigns have been definitively linked, prototype pollution vulnerabilities are considered high-risk, and public proof-of-concept exploits exist.
Refer to the npm advisory for CVE-2018-3722: https://www.npmjs.com/advisories/791
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.