Fixed Prototype pollution in simple-deep-assign

[d3m0n-r00t]

📊 Metadata *

Fixed Prototype pollution in simple-deep-assign.

Bounty URL: https://www.huntr.dev/bounties/1-npm-simple-deep-assign

⚙️ Description *

simple-deep-assign is vulnerable to Prototype Pollution.

💻 Technical Description *

The package is vulnerable to Prototype pollution in the deepAssgin function. This vulnerability is fixed by filtering the keywords that causes pollution from the object.

🐛 Proof of Concept (PoC) *

// poc.mjs
import deepAssign from 'simple-deep-assign';

console.log('Before: ', {}.polluted})
deepAssign({}, JSON.parse('{"__proto__": {"polluted": "Prototype Polluted"}}'));
console.log('After: ', {}.polluted})

Before: undefined
After: Prototype Polluted

🔥 Proof of Fix (PoF) *

After fix:

👍 User Acceptance Testing (UAT)

All ok.

🔗 Relates to...

Provide the URL of the PR for the disclosure that this fix relates to.

[mzfr]

[huntr-helper]

Congratulations d3m0n-r00t - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord