CVE-2019-10745
HIGH7.5EPSS 0.24%assign-deep Vulnerable to Prototype Pollution
發布日:2019/8/21修改日:2026/3/13
描述
Versions of `assign-deep` prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The `assign` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. ## Recommendation Upgrade to versions 1.0.1, 0.4.8, or later.
受影響套件(1)
- npm/assign-deepfrom 0, < 0.4.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10745
- PATCHhttps://github.com/jonschlinkert/assign-deep
- WEBhttps://github.com/jonschlinkert/assign-deep/commit/8e3cc4a34246733672c71e96532105384937e56c
- WEBhttps://github.com/jonschlinkert/assign-deep/commit/90bf1c551d05940898168d04066bbf15060f50cc
- WEBhttps://snyk.io/vuln/SNYK-JS-ASSIGNDEEP-450211
- WEBhttps://www.npmjs.com/advisories/1014