CVE-2018-16469 Information

Description

The merge.recursive function in the merge package 1.2.1 can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects allowing for a denial of service attack.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

https://hackerone.com/reports/381194

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5