Prototype Pollution

Vulnerability

The @ianwalter/merge npm package (all versions) is vulnerable to Prototype Pollution via its main merge function [1]. The flaw stems from an unsafe recursive merge of source objects into a target object without proper sanitization of special keys like __proto__, constructor, or prototype. When the source object contains a property named __proto__, the merge function recurses onto the prototype of Object itself, polluting the global Object prototype [2].

Exploitation

An attacker can trigger the vulnerability by passing a crafted source object containing a malicious __proto__ property to the merge function. No authentication is required, as any application that merges untrusted user-controlled data using this library is susceptible. The attack surface depends on how the application processes user input; for example, merging JSON payloads from HTTP requests or deserializing data can provide an entry point [1][2].

Impact

Successful exploitation leads to polluting the base Object prototype, causing all JavaScript objects in the runtime to inherit the injected properties. This can result in denial of service (via exceptions) or, more critically, can alter application logic and enable cross-site scripting or remote code execution depending on how the polluted properties are used in the application [2].

Mitigation

No official fix is available for the @ianwalter/merge package. The maintainer recommends migrating to the @generates/merger package as a replacement [1]. Users should audit their dependencies and avoid merging untrusted data with vulnerable implementations.