CVE-2018-16486

Critical

A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto…

hackerone·CWE-400·Published 2019-02-01

CVSS

9.8

EPSS

0.01

KEV

Exploits

cve.orgen

148 chars

A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.

NVDen

148 chars

A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.

All versions of `defaults-deep` are vulnerable to prototype pollution. Provided certain input `defaults-deep` can add or modify properties of the `Object` prototype. These properties will be present on all objects. ## Recommendation As no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.

GHSAen

380 chars

NVDes

201 chars

Se ha detectado una vulnerabilidad de contaminación de prototipo en defaults-deep, en la versión 0.2.4 y anteriores, que podría permitir a un usuario malicioso inyectar propiedades en Object.prototype.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.0	Primary	NVD	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	9.8	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H