CVE-2018-3751
Description
The utilities function in all versions <= 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
merge-recursivenpm | <= 0.0.3 | — |
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing input validation on object property keys allows `__proto__` to be used for prototype pollution."
Attack vector
An attacker supplies a JSON payload containing a `__proto__` key (e.g., `{"__proto__":{"oops":"It works !"}}`). When the `merge-recursive` library merges this payload into another object, it assigns properties directly onto `Object.prototype` via the `__proto__` accessor [ref_id=1]. This prototype pollution allows the attacker to add or overwrite properties on all objects in the runtime, which can lead to denial of service, property injection, or further exploitation depending on the application context [CWE-20].
Affected code
The `merge-recursive` npm package (all versions ≤ 0.0.3) exposes a `recursive` utility function that merges objects without sanitizing property keys. The advisory does not specify a particular file or function signature beyond the exported `recursive` method [ref_id=1].
What the fix does
No patch has been published for this vulnerability. The advisory states "There is currently no fix available" [ref_id=1]. The recommended remediation is to avoid using the `merge-recursive` package entirely or to replace it with an actively maintained alternative that properly filters or rejects `__proto__` keys during merge operations.
Preconditions
- inputThe application must use the merge-recursive library (version ≤ 0.0.3) to merge attacker-controlled JSON input into an object.
- inputThe attacker must be able to supply a JSON string that includes a __proto__ key.
Reproduction
```js var merge = require('merge-recursive').recursive; var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {}; console.log("Before : " + a.oops); merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops); ``` [ref_id=1]
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-cvxm-f295-x957ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3751ghsaADVISORY
- hackerone.com/reports/311337ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/715ghsaWEB
News mentions
0No linked articles in our index yet.