CVE-2018-3751

EUVD-2018-0453
The utilities function in all versions <= 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
Affected Products (NVD)
VendorProductVersion
umbraengineeringmerge-recursive
𝑥
≤ 0.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://hackerone.com/reports/311337
https://hackerone.com/reports/311337