Critical severity10.0NVD Advisory· Published Jul 1, 2024· Updated Apr 15, 2026
CVE-2024-39008
CVE-2024-39008
Description
robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fast-loopsnpm | < 1.1.4 | 1.1.4 |
Patches
11 file changed · +13 −8
modules/objectMergeDeep.js+13 −8 modified@@ -1,18 +1,23 @@ export default function objectMergeDeep(base = {}, ...objs) { for (let i = 0, len = objs.length; i < len; ++i) { - const obj = objs[i] + const obj = objs[i]; for (const key in obj) { - const value = obj[key] + // see https://github.com/robinweser/fast-loops/issues/18 + if (key === '__proto__' || key === 'constructor' || key === 'prototype') { + continue; + } + + const value = obj[key]; - if (typeof value === 'object' && !Array.isArray(value)) { - base[key] = objectMergeDeep(base[key], value) - continue + if (typeof value === 'object' && !Array.isArray(value) && value !== null) { + base[key] = objectMergeDeep(base[key], value); + continue; } - base[key] = value + base[key] = value; } } - return base -} + return base; +} \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.