High severityNVD Advisory· Published Jul 2, 2021· Updated Sep 17, 2024
Prototype Pollution
CVE-2021-23403
Description
All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ts-nodashnpm | < 1.2.7 | 1.2.7 |
Affected products
1Patches
1b9cc2b3b49f6Security fix for Prototype Pollution (#20)
1 file changed · +6 −1
src/Merge.ts+6 −1 modified@@ -47,13 +47,18 @@ const handleDefaultBehavior = (originalObject: any, newObject: any, behavior?: if (originalTypeName === "Object" && newTypeName === "Object") { // built-in behavior // tslint:disable:forin for (const p in newObject) { + if (isPrototypePolluted(p)) continue originalObject[p] = processBehavior(originalObject[p], newObject[p], behavior); } // tslint:enable:forin return originalObject; } }; +const isPrototypePolluted = (key: any) => { + return ['__proto__', 'constructor', 'prototype'].includes(key) +} + /** * Recursively merge two objects together. * @param originalObject The base object. Properties here will be overwritten @@ -72,7 +77,7 @@ export const Merge = (originalObject: any, newObject: any, behavior?: IMergeBeha return definedBehaviorResults; } } - + return handleDefaultBehavior(originalObject, newObject, behavior); };
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5xjx-4xcm-hpcmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23403ghsaADVISORY
- github.com/BadOPCode/NoDash/blob/master/src/Merge.tsghsax_refsource_MISCWEB
- github.com/BadOPCode/NoDash/commit/b9cc2b3b49f6cd5228e406bc57e17a28b998fea5ghsaWEB
- snyk.io/vuln/SNYK-JS-TSNODASH-1311009ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.