CVE-2018-3753
Description
Prototype pollution in merge-objects Node module <=1.0.0 allows attackers to modify Object prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in merge-objects Node module <=1.0.0 allows attackers to modify Object prototype.
Vulnerability
The utilities function in all versions <= 1.0.0 of the merge-objects Node module is vulnerable to prototype pollution. An attacker can manipulate the structure passed to this function to modify the prototype of Object, injecting properties that then exist on all objects. Affected versions are 1.0.0 and earlier [1].
Exploitation
An attacker must control a part of the object hierarchy passed to the utilities function. By including a key like __proto__ or constructor.prototype, they can pollute the Object prototype. No special network position or authentication is required if the attacker can supply input to the merge function [1].
Impact
Successful prototype pollution allows the attacker to add or modify properties on all objects. Depending on the application context, this can lead to denial of service, privilege escalation, or arbitrary code execution [1].
Mitigation
Update to a patched version of merge-objects greater than 1.0.0. If unable to update, review input validation and avoid passing untrusted structures to the utilities function [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
merge-objectnpm | <= 1.0.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-fp82-2h99-3fppghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3753ghsaADVISORY
- hackerone.com/reports/310706ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.