CVE-2022-24802

Prototype Pollution in deepmerge-ts

Description

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue.

References

Link	Tags
https://github.com/RebeccaStevens/deepmerge-ts/security/advisories/GHSA-r9w3-g83q-m6hq	third party advisory
https://github.com/RebeccaStevens/deepmerge-ts/commit/b39f1a93d9e1c3541bd2fe159fd696a16dbe1c72	third party advisory patch
https://github.com/RebeccaStevens/deepmerge-ts/commit/d637db7e4fb2bfb113cb4bc1c85a125936d7081b	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2022-24802?: CVE-2022-24802 has been scored as a high severity vulnerability.
How to fix CVE-2022-24802?: To fix CVE-2022-24802, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-24802 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-24802 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-24802?: CVE-2022-24802 affects RebeccaStevens deepmerge-ts.

Description

Categories

CWE-915 – Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-1321 – Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

References

Frequently Asked Questions