unclechu
commented
6 years ago @lc3t35 A fix released in v0.5.1.
Closed lc3t35 closed 6 years ago
unclechu
commented
6 years ago @lc3t35 A fix released in v0.5.1.
dskrvk
commented
6 years ago Any idea how to report the fix in https://nodesecurity.io/advisories/612? Also two other issues are open against deep-extend - https://nodesecurity.io/advisories/594 & https://nodesecurity.io/advisories/611 - but the original HackerOne reports are for completely different packages.
dskrvk
commented
6 years ago Never mind, reported this to report@nodesecurity.io.
According to https://hackerone.com/reports/311333, deep-extend is vulnerable to prototype pollution attacks. The vulnerability exists in the utility function where the prototype of
Objectcan be overwritten to add or modify existing property on all objects. Could you fix this as deep-extend is used in other packages such as https://github.com/dominictarr/rc Thank you.