Vulnerability: Prototype Pollution via the main (merge) function
rkristelijn opened this issue · comments
Found by vulnerability check OWASP:UsingComponentWithKnownVulnerability
Filename: merge:2.1.1 | Reference: CVE-2021-23397 | CVSS Score: 9.8 | Category: CWE-1321 | All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.
How to reproduce:
- clone the repo
- run
npm install - observe vulnerability issues