Vulnerability	Vulnerable Version
M Prototype Pollution @fluentui/styles is a set of styling utilities for CSS-in-JS. Affected versions of this package are vulnerable to Prototype Pollution. The `deepmerge` function available within the styles package of FluentUI allows one object to merge with another recursively. Given a value such as `__proto__`, this value is merged without any prior validation. `__proto__` will modify the properties of all existing properties and new properties resulting in pollution of an object's prototype. PoC `var styles = require("@fluentui/styles"); var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}'; var source2 = { k3: { } }; var x = styles.deepmerge(source2, JSON.parse(malicious_payload)) console.log({}.vulnerable)` How to fix Prototype Pollution? Upgrade `@fluentui/styles` to version 0.50.0 or higher.	<0.50.0

Prototype Pollution

@fluentui/styles is a set of styling utilities for CSS-in-JS.

Affected versions of this package are vulnerable to Prototype Pollution. The deepmerge function available within the styles package of FluentUI allows one object to merge with another recursively. Given a value such as __proto__, this value is merged without any prior validation. __proto__ will modify the properties of all existing properties and new properties resulting in pollution of an object's prototype.

PoC

var styles = require("@fluentui/styles");
var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}';
var source2 = {
    k3: { }  
  };
var x = styles.deepmerge(source2, JSON.parse(malicious_payload))
console.log({}.vulnerable)

How to fix Prototype Pollution?

Upgrade @fluentui/styles to version 0.50.0 or higher.

<0.50.0

Go back to all versions of this package