Prototype Pollution

Vulnerability

The merge-deep2 npm package (all versions) is vulnerable to Prototype Pollution in the mergeDeep() function. The function recursively merges properties from source objects into a target object without sanitizing keys such as __proto__, constructor, or prototype. This allows an attacker to inject arbitrary properties into the global Object.prototype [2].

Exploitation

An attacker can exploit this by providing a crafted object with a __proto__ property containing malicious properties. When mergeDeep() is called with user-controlled input as the source, the recursive merge pollutes Object.prototype. No authentication or special privileges are required if the application merges untrusted data. The attack is simple: pass an object like {"__proto__": {"polluted": true}} to the merge function [2].

Impact

Successful prototype pollution can lead to denial of service (via JavaScript exceptions) or, in many cases, remote code execution by altering the application's code path. All JavaScript objects inherit the polluted properties, potentially bypassing security controls and affecting the entire application [2].

Mitigation

As of the available references, no fixed version of merge-deep2 has been released. The package appears unmaintained. Users should avoid using merge-deep2 or replace it with a safer alternative that sanitizes prototype keys. Monitor for updates or consider forking the package to apply a fix [2].