CVE-2019-10745
HIGH7.5EPSS 0.24%assign-deep Vulnerable to Prototype Pollution
Published: 8/21/2019Modified: 3/13/2026
Description
Versions of `assign-deep` prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The `assign` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. ## Recommendation Upgrade to versions 1.0.1, 0.4.8, or later.
Affected packages (1)
- npm/assign-deepfrom 0, < 0.4.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10745
- PATCHhttps://github.com/jonschlinkert/assign-deep
- WEBhttps://github.com/jonschlinkert/assign-deep/commit/8e3cc4a34246733672c71e96532105384937e56c
- WEBhttps://github.com/jonschlinkert/assign-deep/commit/90bf1c551d05940898168d04066bbf15060f50cc
- WEBhttps://snyk.io/vuln/SNYK-JS-ASSIGNDEEP-450211
- WEBhttps://www.npmjs.com/advisories/1014