VYPR
← All advisories
High severityNVD Advisory· Published Mar 11, 2020· Updated Aug 4, 2024

CVE-2019-10808

CVE-2019-10808

Description

A prototype pollution vulnerability in utilitify prior to 1.0.3 allows attackers to modify Object.prototype via the merge method, potentially leading to Denial of Service or other impacts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A prototype pollution vulnerability in utilitify prior to 1.0.3 allows attackers to modify Object.prototype via the merge method, potentially leading to Denial of Service or other impacts.

What the vulnerability is

A prototype pollution vulnerability exists in the npm module utilitify prior to version 1.0.3. The merge method fails to properly restrict property assignment, allowing modification of Object.prototype [1]. This type of vulnerability can lead to unexpected behavior across the application, including Denial of Service [1].

How it's exploited

Exploitation requires the attacker to control input passed to the merge method, typically through user-supplied objects. By crafting a payload that includes properties like __proto__ or constructor.prototype, the attacker can inject properties that pollute the global object prototype [1]. No authentication is needed if the merge method is exposed directly to user input.

Impact

Prototype pollution can result in various impacts depending on the application. At minimum, it can cause unexpected application behavior, property overwrites, or Denial of Service. In certain contexts, it may enable arbitrary code execution or bypass security controls [1].

Mitigation status

The issue is fixed in utilitify version 1.0.3. All previous versions are affected and should be upgraded immediately [1][2]. There is no known workaround apart from upgrading to the patched version.

References
  1. Snyk Vulnerability Database | Snyk
  2. NVD - CVE-2019-10808

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
utilitifynpm
< 1.0.31.0.3

Affected products

2

Patches

1
88d6e2700982

Merge pull request #22 from xcritical-software/fix/merge_prototype_pollution

https://github.com/xcritical-software/utilitifyMikhail AndreevMar 10, 2020via ghsa
commit
3 files changed · +30 10
  • package.json+1 1 modified
    @@ -1,6 +1,6 @@
 {

   "name": "utilitify",

-  "version": "1.0.2",

+  "version": "1.0.3",

   "description": "The utilities for working with a collections such as objects, arrays and primitives such as numbers, strings, etc.",

   "main": "index.js",

   "repository": "https://github.com/xcritical-software/utilitify.git",
  • src/__tests__/mergeDeep.test.ts+17 0 modified
    @@ -1,7 +1,24 @@
+/* eslint-disable @typescript-eslint/ban-ts-ignore */
 import { mergeDeep } from '../utils';
 
 
 describe('This is the tests for the "merge deep" util', () => {
+  test('should not merge the __proto__ property', () => {
+    const src = JSON.parse('{ "__proto__": { "xxx": "polluted" } }');
+    const dst = {};
+
+    mergeDeep(dst, src);
+    // @ts-ignore
+    if (typeof dst.__proto__ !== 'undefined') { // eslint-disable-line
+      // Should not overwrite the __proto__ property or pollute the Object prototype
+      // @ts-ignore
+      expect(dst.__proto__).toBe(Object.prototype); // eslint-disable-line
+    }
+
+    // @ts-ignore
+    expect(({}).xxx).toBeUndefined();
+  });
+
   test('Merge two objects', () => {
     expect(mergeDeep({ a: 1, b: 2 }, { b: 3, c: 4 })).toEqual({ a: 1, b: 3, c: 4 });
  • src/utils/mergeDeep.ts+12 9 modified
    @@ -4,17 +4,20 @@ import { isObject } from './isObject';
 import { AllType } from '../interfaces';
 
 
+const checkValidKeys = (key: string): boolean => key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+
 const merge = (target: AllType, obj: AllType): AllType => {
   Object.keys(obj).forEach((key: string): void => {
-    const oldVal = obj[key];
-    const newVal = target[key];
-
-    if (isObject(newVal) && isObject(oldVal)) {
-      target[key] = merge(newVal, oldVal);
-    } else if (Array.isArray(newVal)) {
-      target[key] = union([], newVal, oldVal);
-    } else {
-      target[key] = cloneDeep(oldVal);
+    if (checkValidKeys(key)) {
+      const oldVal = obj[key];
+      const newVal = target[key];
+      if (isObject(newVal) && isObject(oldVal)) {
+        target[key] = merge(newVal, oldVal);
+      } else if (Array.isArray(newVal)) {
+        target[key] = union([], newVal, oldVal);
+      } else {
+        target[key] = cloneDeep(oldVal);
+      }
     }
   });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.