Prototype Pollution

Vulnerability

All versions of the npm package record-like-deep-assign prior to version 2.0.0 are vulnerable to Prototype Pollution [1][2]. The vulnerability exists in the main functionality of the package, which recursively assigns enumerable own properties of source objects to a target object (similar to Object.assign but with deep merging). The unsafe recursive merge logic does not properly prevent the __proto__ property from being merged, allowing an attacker to inject arbitrary properties into the global Object.prototype. The vulnerable code path is triggered whenever the deepAssign function is called with a source object containing a __proto__ property that is an object [3].

Exploitation

An attacker can exploit this vulnerability by crafting a source object with a __proto__ property that itself contains properties to be injected into Object.prototype. For example, passing { '__proto__': { 'polluted': true } } as a source to deepAssign(target, ...sources) will pollute the prototype chain. The attacker does not need any special network position or authentication; the exploitation is purely data-driven. Any application that uses record-like-deep-assign to merge untrusted user-supplied objects is at risk. The steps are: (1) supply a malicious object with a __proto__ key as one of the source arguments to deepAssign, (2) the unsafe recursive merge will copy the properties from the __proto__ object onto Object.prototype, (3) all subsequent objects in the application will inherit the polluted properties, enabling further attacks [2].

Impact

Successful prototype pollution can lead to a variety of impacts depending on the application context, including denial of service (by causing unexpected exceptions or infinite loops), property injection that alters application logic, and potentially remote code execution if the polluted properties are used in code paths that evaluate them (e.g., server-side template injection or modifying configuration). In general, the attacker gains the ability to tamper with the default properties of all JavaScript objects in the process, which can subvert security checks, bypass filters, or escalate privileges [2].

Mitigation

The fix was released in version 2.0.0 of record-like-deep-assign. Users should upgrade to version 2.0.0 or later immediately [1][2]. If upgrading is not immediately possible, applications should avoid using the library to merge user-controlled objects, or implement input validation that strips the __proto__ key (and other prototype pollution vectors like constructor.prototype) from source objects before passing them to deepAssign.