VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 9, 2020· Updated Aug 4, 2024

CVE-2019-10806

CVE-2019-10806

Description

vega-util prior to 1.13.1 is vulnerable to prototype pollution via mergeConfig, allowing attackers to modify Object.prototype.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

vega-util prior to 1.13.1 is vulnerable to prototype pollution via mergeConfig, allowing attackers to modify Object.prototype.

Root

Cause

The vega.mergeConfig function in vega-util prior to version 1.13.1 did not properly sanitize object keys, specifically the __proto__ key. This allowed an attacker to inject or modify properties of Object.prototype by passing a crafted configuration object [2].

Exploitation

An attacker can exploit this vulnerability by supplying a malicious input to mergeConfig that includes a __proto__ property. No authentication is required if the attacker can control the configuration object passed to this function. The attack surface includes any application that uses vega-util's mergeConfig with user-controllable data [3].

Impact

Successful exploitation leads to prototype pollution, which can result in denial of service, property injection, or even remote code execution depending on how the polluted properties are used by other parts of the application. All instances of objects in the runtime may be affected [2].

Mitigation

The vulnerability has been patched in vega-util version 1.13.1. The fix adds an isLegalKey function that filters out keys like __proto__ in writeConfig [3]. Users should update to the latest version to mitigate this risk.

References
  1. NVD - CVE-2019-10806
  2. Fix prototype pollution in mergeConfig. · vega/vega@8f33a0b

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vega-utilnpm
< 1.13.11.13.1

Affected products

2

Patches

1
8f33a0b5170d

Fix prototype pollution in mergeConfig.

https://github.com/vega/vegaJeffrey HeerMar 5, 2020via ghsa
commit
2 files changed · +18 2
  • packages/vega-util/src/mergeConfig.js+6 2 modified
    @@ -1,6 +1,8 @@
 import isArray from './isArray';
 import isObject from './isObject';
 
+const isLegalKey = key => key !== '__proto__';
+
 export function mergeConfig(...configs) {
   return configs.reduce((out, source) => {
     for (var key in source) {
@@ -14,7 +16,7 @@ export function mergeConfig(...configs) {
         // for legend block, recurse for the layout entry only
         // for style block, recurse for all properties
         // otherwise, no recursion: objects overwrite, no merging
-        var r = key === 'legend' ? {'layout': 1}
+        var r = key === 'legend' ? {layout: 1}
           : key === 'style' ? true
           : null;
         writeConfig(out, key, source[key], r);
@@ -25,13 +27,15 @@ export function mergeConfig(...configs) {
 }
 
 export function writeConfig(output, key, value, recurse) {
+  if (!isLegalKey(key)) return;
+
   var k, o;
   if (isObject(value) && !isArray(value)) {
     o = isObject(output[key]) ? output[key] : (output[key] = {});
     for (k in value) {
       if (recurse && (recurse === true || recurse[k])) {
         writeConfig(o, k, value[k]);
-      } else {
+      } else if (isLegalKey(k)) {
         o[k] = value[k];
       }
     }
  • packages/vega-util/test/mergeConfig-test.js+12 0 modified
    @@ -78,3 +78,15 @@ tape('mergeConfig handles empty arguments', function(t) {
   t.deepEqual(vega.mergeConfig(null, undefined, c), c);
   t.end();
 });
+
+tape('mergeConfig must not allow prototype pollution', function(t) {
+  const config = {symbol: {shape: 'triangle-right'}},
+        payload = JSON.parse('{"__proto__": {"vulnerable": "Polluted"}}'),
+        merged = vega.mergeConfig(config, payload, {symbol: payload});
+
+  t.equal(merged.__proto__.vulnerable, undefined);
+  t.equal(merged.symbol.__proto__.vulnerable, undefined);
+  t.equal(Object.prototype.vulnerable, undefined);
+
+  t.end();
+});
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.