EPSS
Percentile
72.2%
merge is vulnerable to prototype pollution. The function _recursiveMerge allows for an injection of arbitrary properties into existing construct prototypes and modification of attributes such as __proto__, constructor and prototype.
_recursiveMerge
__proto__
constructor
prototype
github.com/advisories/GHSA-7wpw-2hjm-89gp
github.com/yeikos/js.merge/blob/master/src/index.ts%23L64
github.com/yeikos/js.merge/blob/v2.1.0/src/index.ts#L64-L67
vuldb.com/?id.170146
www.npmjs.com/advisories/1666