Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix prototype pollution vulnerability #39

Closed
lc3t35 opened this issue Apr 21, 2018 · 3 comments
Closed

Fix prototype pollution vulnerability #39

lc3t35 opened this issue Apr 21, 2018 · 3 comments
Assignees
@unclechu
Labels
bug to-be-released

Comments

@lc3t35
Copy link

lc3t35 commented Apr 21, 2018

According to https://hackerone.com/reports/311333, deep-extend is vulnerable to prototype pollution attacks. The vulnerability exists in the utility function where the prototype of Object can be overwritten to add or modify existing property on all objects.
Could you fix this as deep-extend is used in other packages such as https://github.com/dominictarr/rc
Thank you.
@lc3t35 lc3t35 changed the title Fix Fix prototype pollution vulnerability Apr 21, 2018
@lc3t35 lc3t35 mentioned this issue Apr 21, 2018
Closed
@mwakerman mwakerman mentioned this issue Apr 27, 2018
Closed
@gms1 gms1 mentioned this issue Apr 27, 2018
Closed
@unclechu unclechu self-assigned this Apr 27, 2018
@unclechu
Copy link
Owner

@lc3t35 A fix released in v0.5.1.

@dennisroche dennisroche mentioned this issue Apr 30, 2018
Closed
17 tasks
@dskrvk
Copy link

dskrvk commented May 7, 2018

Any idea how to report the fix in https://nodesecurity.io/advisories/612? Also two other issues are open against deep-extend - https://nodesecurity.io/advisories/594 & https://nodesecurity.io/advisories/611 - but the original HackerOne reports are for completely different packages.

@dskrvk
Copy link

dskrvk commented May 7, 2018

Never mind, reported this to report@nodesecurity.io.

@theinterned theinterned mentioned this issue May 7, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@unclechu unclechu

Labels
bug to-be-released
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@unclechu @lc3t35 @dskrvk