Versions of angular
prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function merge()
does not restrict the modification of an Object’s prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.
Upgrade to version 1.7.9 or later. The function was already deprecated and upgrades are not expected to break functionality.
github.com/angular/angular.js
github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3
github.com/angular/angular.js/pull/16913
lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2019-10768
snyk.io/vuln/SNYK-JS-ANGULAR-534884
www.npmjs.com/advisories/1343