High severityOSV Advisory· Published Nov 19, 2019· Updated Aug 4, 2024

CVE-2019-10768

Description

In AngularJS before 1.7.9 the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
angularnpm	< 1.7.9	1.7.9

Affected products

Angular/Angular.jsOSV
Range: g3-v1.0.0-rc2, g3-v1.0.0rc1, v0.10.0, …

Patches

add78e62004e

fix(angular.merge): do not merge __proto__ property

https://github.com/angular/angular.jsPete Bacon DarwinNov 7, 2019via ghsa

commit

2 files changed · +17 −2

src/Angular.js+4 −2 modified

@@ -342,8 +342,10 @@ function baseExtend(dst, objs, deep) {
         } else if (isElement(src)) {
           dst[key] = src.clone();
         } else {
-          if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
-          baseExtend(dst[key], [src], true);
+          if (key !== '__proto__') {
+            if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
+            baseExtend(dst[key], [src], true);
+          }
         }
       } else {
         dst[key] = src;

test/AngularSpec.js+13 −0 modified

@@ -814,6 +814,19 @@ describe('angular', function() {
       expect(isElement(dst.jqObject)).toBeTruthy();
       expect(dst.jqObject.nodeName).toBeUndefined(); // i.e it is a jqLite/jQuery object
     });
+
+    it('should not merge the __proto__ property', function() {
+      var src = JSON.parse('{ "__proto__": { "xxx": "polluted" } }');
+      var dst = {};
+
+      merge(dst, src);
+
+      if (typeof dst.__proto__ !== 'undefined') { // eslint-disable-line
+        // Should not overwrite the __proto__ property or pollute the Object prototype
+        expect(dst.__proto__).toBe(Object.prototype); // eslint-disable-line
+      }
+      expect(({}).xxx).toBeUndefined();
+    });
   });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-89mq-4x47-5v83ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10768ghsaADVISORY
github.com/angular/angular.js/commit/add78e62004e80bb1e16ab2dfe224afa8e513bc3ghsaWEB
github.com/angular/angular.js/pull/16913ghsaWEB
lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3EghsaWEB
snyk.io/vuln/SNYK-JS-ANGULAR-534884ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000