defaults-deep icon indicating copy to clipboard operation
defaults-deep copied to clipboard
verified publisher icon jonschlinkert

Address Prototype Pollution vulnerability

Open omrilotan opened this issue 6 years ago • 1 comments

TL;DR

This vulnerability exposes language construct prototypes to unwanted modifications

defaultsDeep(
  {},
  { constructor: { prototype: { isAdmin: true } } }
);

console.log({}.isAdmin); // true for all objects now

Further reading:

Open reports:

omrilotan avatar Aug 25 '19 07:08 omrilotan

@jonschlinkert It there any hope to release this security patch?

omrilotan avatar Sep 12 '19 10:09 omrilotan