CVE-2022-25907: ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution

August 10, 2022 (updated August 11, 2022)

The package ts-deepmerge before 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the merge function.

References

github.com/advisories/GHSA-7qqq-gh2f-wq76
github.com/voodoocreation/ts-deepmerge/commit/9be5148773343c57be9de39728d6ead18eddf10b
github.com/voodoocreation/ts-deepmerge/releases/tag/2.0.2
nvd.nist.gov/vuln/detail/CVE-2022-25907
security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-2959975

Code Behaviors & Features

Detect and mitigate CVE-2022-25907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →