callumacrae / find-node-modules

:arrow_up: Return an array of all parent node_modules directories

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Vulnerability: Prototype Pollution via the main (merge) function

rkristelijn opened this issue · comments

Found by vulnerability check OWASP:UsingComponentWithKnownVulnerability

Filename: merge:2.1.1 | Reference: CVE-2021-23397 | CVSS Score: 9.8 | Category: CWE-1321 | All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.

How to reproduce:

  • clone the repo
  • run npm install
  • observe vulnerability issues

More info: