CVE-2018-3722
Description
merge-deep before 3.0.1 allows prototype pollution via __proto__, enabling modification of Object properties on all objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
merge-deep before 3.0.1 allows prototype pollution via __proto__, enabling modification of Object properties on all objects.
Vulnerability
The merge-deep npm package before version 3.0.1 contains a prototype pollution vulnerability. The mergeDeep function does not filter out the __proto__ key, allowing a malicious JSON payload to modify the prototype of the global Object constructor [1][2]. This is a Modification of Assumed-Immutable Data (MAID) vulnerability [1].
Exploitation
An attacker can supply a crafted object literal containing a __proto__ property with arbitrary properties as the value. When merge-deep merges this object into another, it assigns those properties to Object.prototype, bypassing the hasOwn check on line 33 of index.js [3]. No special privileges are needed beyond the ability to supply the input to the mergeDepp function.
Impact
Successful exploitation enables a global prototype pollution: any property assigned via __proto__ becomes available on all JavaScript objects in the runtime [1][2]. This can lead to unexpected behavior, denial of service, or in some application contexts, privilege escalation, arbitrary code execution, or data corruption, depending on how the polluted property is used by the application.
Mitigation
Update to merge-deep version 3.0.1 or later, which includes a fix that explicitly checks for the __proto__ key and skips it during merging (commit 2c33634da7129a5aefcc262d2fec2e72224404e5) [3]. No workaround is available for vulnerable versions; the only safe mitigation is to upgrade.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
merge-deepnpm | < 3.0.1 | 3.0.1 |
Affected products
2- HackerOne/merge-deep node modulev5Range: Versions before 3.0.1
Patches
11 file changed · +1 −1
index.js+1 −1 modified@@ -30,7 +30,7 @@ module.exports = function mergeDeep(orig, objects) { function merge(target, obj) { for (var key in obj) { - if (!hasOwn(obj, key)) { + if (key === '__proto__' || !hasOwn(obj, key)) { continue; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9g9w-hmvj-5h57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3722ghsaADVISORY
- github.com/jonschlinkert/merge-deep/commit/2c33634da7129a5aefcc262d2fec2e72224404e5ghsax_refsource_MISCWEB
- hackerone.com/reports/310708ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/580ghsaWEB
News mentions
0No linked articles in our index yet.