Prototype Pollution in viking04/merge
Description
Prototype Pollution vulnerability in the npm @viking04/merge package allows attackers to pollute object prototypes via crafted keys.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution vulnerability in the npm @viking04/merge package allows attackers to pollute object prototypes via crafted keys.
Vulnerability
The @viking04/merge npm package (all versions prior to the fix) is vulnerable to Prototype Pollution. The merge function iterates over source object keys and assigns them to the destination without filtering dangerous keys like __proto__ or constructor. This allows an attacker to inject properties into the global Object.prototype by providing a source with a key such as __proto__ containing malicious payloads. The fix was committed in commit baba403 [1][2].
Exploitation
An attacker needs only the ability to supply a crafted object as a source argument to the merge function. No authentication or special privileges are required if the attacker controls the input data (e.g., via user-submitted JSON). A proof-of-concept is shown in the fix commit where JSON.parse('{"__proto__":{"polluted":true}}') is merged, causing {}.polluted to return true [2].
Impact
Successful exploitation allows the attacker to pollute the prototype chain of all objects, potentially leading to property injection, unexpected behavior in the application, and in some cases, remote code execution if polluted properties affect security-sensitive logic. The CVSS score is not provided in the references, but the severity is high due to potential for widespread impact [1].
Mitigation
The fix is available in commit baba403 [1][2]. Users should update to a version of @viking04/merge that includes this commit or later. As a workaround, applications can sanitize input objects manually to exclude __proto__ and constructor keys before passing them to merge. There is no indication that the package is listed on CISA KEV at the time of writing [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@viking04/mergenpm | < 1.0.2 | 1.0.2 |
Affected products
2- viking04/viking04/mergev5Range: unspecified
Patches
1baba40332080Fix for Prototype Pollution
3 files changed · +21 −1
index.js+2 −0 modified@@ -1,6 +1,8 @@ function merge(dst, ...sources) { for (src of sources) { for (let key in src) { + //fix for prototype pollution + if (key === "__proto__" || key === "constructor") continue; let s = src[key], d = dst[key] if (Object(s) == s && Object(d) === d) { dst[key] = merge(d, s)
package-lock.json+13 −0 added@@ -0,0 +1,13 @@ +{ + "name": "@viking04/merge", + "version": "1.0.1", + "lockfileVersion": 2, + "requires": true, + "packages": { + "": { + "name": "@viking04/merge", + "version": "1.0.1", + "license": "MIT" + } + } +}
test/test.js+6 −1 modified@@ -3,4 +3,9 @@ var a = {"a":{"red":"apple"}} var b = {"b":{"yellow":"mango"}} var c = {"a":{"orange":"orange"}} merge(a,b,c) -console.log(a) \ No newline at end of file +console.log(a) + +//Test case for prototype pollution fix +var prototype_pollution_test = JSON.parse('{"__proto__":{"polluted":true}}') +merge(a,prototype_pollution_test) +console.log({}.polluted)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-cqqh-49mx-fq63ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3645ghsaADVISORY
- github.com/viking04/merge/commit/baba40332080b38b33840d2614df6d4142dedaf6ghsax_refsource_MISCWEB
- huntr.dev/bounties/ef387a9e-ca3c-4c21-80e3-d34a6a896262ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.