🚨 Potential Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)

[huntr-helper]

👋 Hello, @jaredhanson - a potential high severity Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-jaredhanson/utils-merge for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

---

Confused or need more help?

• Join us on our Discord and a member of our team will be happy to help! 🤗

• Speak to a member of our team: @JamieSlome

---

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

[jayateertha043]

Hi ,
I also published a fix for this at #9
It seems to have passed all the tests, you may merge it if it helped.

Thanks

[rockarts]

This passes the tests but your fix doesn't work. It's also just copying #7 and trying to claim a bounty. It's debatable that this is even an issue since most repos rely on the merge functionality that both our issues "fix".

[snoopysecurity]

I don' think there is prototype pollution here:

var merge = require('utils-merge');
var a = { foo: 'bar', qux: 'corge' }
      , b = {
        "__proto__": {
          "polluted": "true",
        }
      };
    var o = merge(a, b);
    console.log(o.polluted) //o is polluted but not the global object prototype
    console.log({}.polluted) //if there was prototype pollution, this would be true

You are polluting your own object, not the global object

[jayateertha043]

Yes, I agree this isn't a issue as global object isn't polluted, sorry my bad didn't check that properly.

You may close the issue.

[JamieSlome]

I have appropriately marked the advisory as invalid.

Cheers! 🍰