CVE-2018-16469

Vulnerability

The merge.recursive function in the merge package versions prior to 1.2.1 is vulnerable to Prototype Pollution. An attacker can craft input that, when processed by this function, adds or modifies properties on the Object prototype. Because all objects inherit from this prototype, the injected properties become globally accessible, impacting the entire application.

Exploitation

An attacker needs to supply a malicious object to the merge.recursive call. This typically requires control over at least part of the input data, for example via JSON payloads or user-controlled parameters that are merged into existing objects. No special privileges are needed beyond the ability to influence the merged data. The specific step is to include keys like __proto__ or constructor.prototype with attacker-chosen values that are then merged into the prototype chain.

Impact

Successful exploitation results in denial of service. By polluting the Object prototype with properties such as infinite loops, non-writable attributes, or large memory allocations, the attacker can cause the application to crash, hang, or consume excessive resources. In some cases, this may also lead to unexpected behavior or security bypasses, though the primary impact is availability degradation.

Mitigation

Upgrade to merge version 1.2.1 or later, which fixes the vulnerability by sanitizing inputs that could pollute the prototype. No workarounds are provided in the references [1][2]. If upgrading is not immediately possible, avoid using the merge.recursive function with untrusted data until a patch is applied.