{ "schema_version": "1.4.0", "id": "GHSA-66rh-8fw6-59q6", "modified": "2022-08-03T16:21:27Z", "published": "2019-08-21T16:15:13Z", "aliases": [ "CVE-2019-10745" ], "summary": "assign-deep Vulnerable to Prototype Pollution", "details": "Versions of `assign-deep` prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The `assign` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.\n\n## Recommendation\n\nUpgrade to versions 1.0.1, 0.4.8, or later.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "assign-deep" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.4.8" } ] } ] }, { "package": { "ecosystem": "npm", "name": "assign-deep" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.1" } ] } ], "versions": [ "1.0.0" ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10745" }, { "type": "WEB", "url": "https://github.com/jonschlinkert/assign-deep/commit/8e3cc4a34246733672c71e96532105384937e56c" }, { "type": "WEB", "url": "https://github.com/jonschlinkert/assign-deep/commit/90bf1c551d05940898168d04066bbf15060f50cc" }, { "type": "PACKAGE", "url": "https://github.com/jonschlinkert/assign-deep" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-ASSIGNDEEP-450211" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1014" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-20", "CWE-915" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2019-08-21T15:53:43Z", "nvd_published_at": "2019-08-20T19:15:00Z" } }