{
  "schema_version": "1.4.0",
  "id": "GHSA-f7qw-5pvg-mmwp",
  "modified": "2021-08-16T14:36:47Z",
  "published": "2019-06-13T18:58:44Z",
  "aliases": [],
  "summary": "Prototype Pollution in lutils-merge",
  "details": "All versions of `lutils-merge` are vulnerable to Prototype Pollution. The merge() function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.\n\n\n## Recommendation\n\nThe package is deprecated and no fixes are available. Consider using an alternative package.\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "lutils-merge"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2.6"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nfour/lutils-merge/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/439107"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-LUTILSMERGE-174783"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/893"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-13T18:58:27Z",
    "nvd_published_at": null
  }
}