putil-merge@2.1.0 vulnerabilities

Lightweight solution for merging multiple objects into one. Also it supports deep merge and deep clone

  • latest version

    3.13.0

  • latest non vulnerable version

  • first published

    7 years ago

  • latest version published

    4 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the putil-merge package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Prototype Pollution

    putil-merge is a Lightweight solution for merging multiple objects into one. Also it supports deep merge.

    Affected versions of this package are vulnerable to Prototype Pollution. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property.

    Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077

    How to fix Prototype Pollution?

    Upgrade putil-merge to version 3.8.0 or higher.

    <3.8.0
    • H
    Prototype Pollution

    putil-merge is a Lightweight solution for merging multiple objects into one. Also it supports deep merge.

    Affected versions of this package are vulnerable to Prototype Pollution. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the __proto__ property.

    How to fix Prototype Pollution?

    Upgrade putil-merge to version 3.7.0 or higher.

    <3.7.0