Prototype Pollution

Vulnerability

The deepmergefn npm package, in all versions, is vulnerable to Prototype Pollution through its deepMerge function. The function performs an unsafe recursive merge of objects without properly checking for dangerous properties such as __proto__, constructor, or prototype. When merging user-controlled objects, an attacker can craft a source object containing a __proto__ key, which, due to the recursive merge logic, leads to properties being copied onto Object.prototype as described in [1] and [2]. The vulnerable code is located in the index.js file at line 6 [3]. All versions of the package are affected [1].

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted object to the deepMerge function. No special network position or authentication is required beyond access to call the function with attacker-controlled input. The classic attack involves passing an object with a __proto__ property set to an object containing arbitrary properties. When the recursive merge is performed (e.g., merge(target, source)), the merge function detects that both target and source have a __proto__ property that is an object, and then recurses into it, thereby polluting the prototype chain. This can also be achieved through clone operations (e.g., merge({}, source)). The exploit does not require user interaction beyond the application processing the malicious input [2].

Impact

Successful exploitation allows an attacker to pollute the Object.prototype with arbitrary properties. This can lead to a range of impacts, including denial of service by triggering JavaScript exceptions, or more critically, tampering with the application's source code to force code paths that the attacker injects, potentially leading to remote code execution (RCE) [2]. The scope of compromise is the entire JavaScript runtime, as all objects inherit from the polluted prototype.

Mitigation

As of the publication date (2021-07-28), no patched version of deepmergefn exists. The official GitHub repository [4] shows the project and its code, but no subsequent update or advisory was published. Users are advised to avoid using this package if possible, or to apply workarounds such as sanitizing input objects to prevent keys like __proto__, constructor, and prototype from being passed to the deepMerge function. The package has not been listed on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.