VYPR
← All advisories
High severityNVD Advisory· Published Aug 20, 2019· Updated Aug 4, 2024

CVE-2019-10745

CVE-2019-10745

Description

assign-deep before 0.4.8 and 1.0.0 is vulnerable to Prototype Pollution via constructor or __proto__ payload, allowing property injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

assign-deep before 0.4.8 and 1.0.0 is vulnerable to Prototype Pollution via constructor or __proto__ payload, allowing property injection.

Vulnerability

Overview

The assign-deep npm package, which deeply assigns enumerable properties from source objects to a target object, is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0 [1]. The function fails to sanitize special keys such as __proto__ or constructor.prototype, allowing an attacker to inject or modify properties of Object.prototype [1][2].

Exploitation

An attacker can exploit this by supplying a crafted object containing a __proto__ or constructor property to the assign-deep function. If the function processes user-controlled input without proper validation, the malicious payload can pollute the global prototype [1]. No authentication is required if the vulnerable code path is exposed to untrusted data.

Impact

Successful prototype pollution can lead to the addition or modification of properties on Object.prototype, which may affect the behavior of all objects in the application. This can result in severe security consequences, including denial of service, privilege escalation, or arbitrary code execution, depending on how the polluted properties are used by the application [1][2]. The maintainer described the bug as "critical" [2][4].

Mitigation

The vulnerability is fixed in versions 0.4.8 and 1.0.1 [2][4]. Users of assign-deep should update to the latest patched version immediately. No workaround is available other than upgrading.

References
  1. NVD - CVE-2019-10745
  2. disallow keys · jonschlinkert/assign-deep@90bf1c5
  3. GitHub - jonschlinkert/assign-deep: Deeply assign the enumerable properties of source objects to a destination object.

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
assign-deepnpm
< 0.4.80.4.8
assign-deepnpm
>= 1.0.0, < 1.0.11.0.1

Affected products

1

Patches

2
8e3cc4a34246

ensure keys are valid

https://github.com/jonschlinkert/assign-deepdoowbJun 25, 2019via ghsa
commit
1 file changed · +9 1
  • index.js+9 1 modified
    @@ -37,7 +37,7 @@ function extend(target, obj) {
   assignSymbols(target, obj);
 
   for (var key in obj) {
-    if (key !== '__proto__' && hasOwn(obj, key)) {
+    if (isValidKey(key) && hasOwn(obj, key)) {
       var val = obj[key];
       if (isObject(val)) {
         if (typeOf(target[key]) === 'undefined' && typeOf(val) === 'function') {
@@ -68,6 +68,14 @@ function hasOwn(obj, key) {
   return Object.prototype.hasOwnProperty.call(obj, key);
 }
 
+/**
+ * Returns true if the given `key` is a valid key that can be used for assigning properties.
+ */
+
+function isValidKey(key) {
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+}
+
 /**
  * Expose `assign`
  */
90bf1c551d05

disallow keys

https://github.com/jonschlinkert/assign-deepJon SchlinkertJun 19, 2019via ghsa
commit
4 files changed · +33 18
  • index.js+12 5 modified
    @@ -7,19 +7,26 @@
 
 'use strict';
 
-const assignSymbols = require('assign-symbols');
 const toString = Object.prototype.toString;
+const assignSymbols = require('assign-symbols');
+
+const isValidKey = key => {
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+};
+
 const assign = module.exports = (target, ...args) => {
   let i = 0;
   if (isPrimitive(target)) target = args[i++];
   if (!target) target = {};
   for (; i < args.length; i++) {
     if (isObject(args[i])) {
       for (const key of Object.keys(args[i])) {
-        if (isObject(target[key]) && isObject(args[i][key])) {
-          assign(target[key], args[i][key]);
-        } else {
-          target[key] = args[i][key];
+        if (isValidKey(key)) {
+          if (isObject(target[key]) && isObject(args[i][key])) {
+            assign(target[key], args[i][key]);
+          } else {
+            target[key] = args[i][key];
+          }
         }
       }
       assignSymbols(target, args[i]);
  • package.json+3 3 modified
    @@ -27,8 +27,8 @@
     "assign-symbols": "^2.0.2"
   },
   "devDependencies": {
-    "gulp-format-md": "^1.0.0",
-    "mocha": "^5.2.0"
+    "gulp-format-md": "^2.0.0",
+    "mocha": "^6.1.4"
   },
   "keywords": [
     "assign",
@@ -70,4 +70,4 @@
       "reflinks": true
     }
   }
-}
+}
\ No newline at end of file
  • README.md+13 9 modified
    @@ -1,4 +1,4 @@
-# assign-deep [![NPM version](https://img.shields.io/npm/v/assign-deep.svg?style=flat)](https://www.npmjs.com/package/assign-deep) [![NPM monthly downloads](https://img.shields.io/npm/dm/assign-deep.svg?style=flat)](https://npmjs.org/package/assign-deep) [![NPM total downloads](https://img.shields.io/npm/dt/assign-deep.svg?style=flat)](https://npmjs.org/package/assign-deep) [![Linux Build Status](https://img.shields.io/travis/jonschlinkert/assign-deep.svg?style=flat&label=Travis)](https://travis-ci.org/jonschlinkert/assign-deep)
+# assign-deep [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=W8YFZ425KND68) [![NPM version](https://img.shields.io/npm/v/assign-deep.svg?style=flat)](https://www.npmjs.com/package/assign-deep) [![NPM monthly downloads](https://img.shields.io/npm/dm/assign-deep.svg?style=flat)](https://npmjs.org/package/assign-deep) [![NPM total downloads](https://img.shields.io/npm/dt/assign-deep.svg?style=flat)](https://npmjs.org/package/assign-deep) [![Linux Build Status](https://img.shields.io/travis/jonschlinkert/assign-deep.svg?style=flat&label=Travis)](https://travis-ci.org/jonschlinkert/assign-deep)
 
 > Deeply assign the values of all enumerable-own-properties and symbols from one or more source objects to a target object. Returns the target object.
 
@@ -12,6 +12,10 @@ Install with [npm](https://www.npmjs.com/):
 $ npm install --save assign-deep
 ```
 
+## Heads up!
+
+[Please update](https://github.com/update/update) to version 1.0.1 or later, a critical bug was fixed in that version.
+
 ## Behavior
 
 * This follows the same behavior as [Object.assign()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign), and thus _does not_ deep clone values.
@@ -91,31 +95,31 @@ $ npm install -g verbose/verb#dev verb-generate-readme && verb
 
 You might also be interested in these projects:
 
-* [assign-symbols](https://www.npmjs.com/package/assign-symbols): Assign the enumerable es6 Symbol properties from an object (or objects) to the first object… [more](https://github.com/jonschlinkert/assign-symbols) | [homepage](https://github.com/jonschlinkert/assign-symbols "Assign the enumerable es6 Symbol properties from an object (or objects) to the first object passed on the arguments. Can be used as a supplement to other extend, assign or merge methods as a polyfill for the Symbols part of the es6 Object.assign method.")
+* [assign-symbols](https://www.npmjs.com/package/assign-symbols): Assign the enumerable es6 Symbol properties from one or more objects to the first object… [more](https://github.com/jonschlinkert/assign-symbols) | [homepage](https://github.com/jonschlinkert/assign-symbols "Assign the enumerable es6 Symbol properties from one or more objects to the first object passed on the arguments. Can be used as a supplement to other extend, assign or merge methods as a polyfill for the Symbols part of the es6 Object.assign method.")
 * [extend-shallow](https://www.npmjs.com/package/extend-shallow): Extend an object with the properties of additional objects. node.js/javascript util. | [homepage](https://github.com/jonschlinkert/extend-shallow "Extend an object with the properties of additional objects. node.js/javascript util.")
 * [merge-deep](https://www.npmjs.com/package/merge-deep): Recursively merge values in a javascript object. | [homepage](https://github.com/jonschlinkert/merge-deep "Recursively merge values in a javascript object.")
 * [mixin-deep](https://www.npmjs.com/package/mixin-deep): Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone… [more](https://github.com/jonschlinkert/mixin-deep) | [homepage](https://github.com/jonschlinkert/mixin-deep "Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone. No dependencies.")
 
 ### Contributors
 
-| **Commits** | **Contributor** | 
-| --- | --- |
-| 27 | [jonschlinkert](https://github.com/jonschlinkert) |
-| 14 | [doowb](https://github.com/doowb) |
+| **Commits** | **Contributor** |  
+| --- | --- |  
+| 31 | [jonschlinkert](https://github.com/jonschlinkert) |  
+| 14 | [doowb](https://github.com/doowb) |  
 
 ### Author
 
 **Jon Schlinkert**
 
-* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)
 * [GitHub Profile](https://github.com/jonschlinkert)
 * [Twitter Profile](https://twitter.com/jonschlinkert)
+* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)
 
 ### License
 
-Copyright © 2018, [Jon Schlinkert](https://github.com/jonschlinkert).
+Copyright © 2019, [Jon Schlinkert](https://github.com/jonschlinkert).
 Released under the [MIT License](LICENSE).
 
 ***
 
-_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.6.0, on August 07, 2018._
\ No newline at end of file
+_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.8.0, on June 19, 2019._
\ No newline at end of file
  • .verb.md+5 1 modified
    @@ -1,3 +1,7 @@
+## Heads up!
+
+[Please update][update] to version 1.0.1 or later, a critical bug was fixed in that version.
+
 ## Behavior
 
 - This follows the same behavior as [Object.assign()][assign], and thus _does not_ deep clone values.
@@ -40,4 +44,4 @@ console.log(assign(config, locals));
 // }
 ```
 
-[assign]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign
+[assign]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.