Prototype Pollution

Vulnerability

The comb npm package (all versions) is vulnerable to Prototype Pollution via the deepMerge() function [1][2]. The function performs an unsafe recursive merge of objects without proper sanitization of __proto__, constructor, or prototype keys, allowing an attacker to pollute the global Object.prototype [2].

Exploitation

An attacker can exploit this by providing a crafted object with a __proto__ property containing malicious properties to any function that uses deepMerge(). No authentication or special privileges are required; the attacker only needs to supply input that triggers the merge operation [2]. The merge recurses into __proto__, copying attacker-controlled properties onto Object.prototype.

Impact

Successful exploitation leads to Prototype Pollution, which can cause denial of service (via JavaScript exceptions) or, in certain application contexts, remote code execution if the polluted properties affect application logic [2]. The impact depends on how the application uses the polluted prototypes.

Mitigation

No official fix has been released; the repository was archived on December 20, 2023, and is read-only [3]. Users should migrate to an alternative library that does not have this vulnerability. As a workaround, avoid using deepMerge() with untrusted input, or implement input validation to block __proto__ keys.