High severity7.5NVD Advisory· Published Feb 5, 2025· Updated Apr 15, 2026
CVE-2024-57085
CVE-2024-57085
Description
A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@stryker-mutator/utilnpm | < 8.7.1 | 8.7.1 |
Patches
1f7b34bfbbde3fix(util): prevent prototype pollution in deepMerge (#5144)
2 files changed · +25 −10
packages/util/src/deep-merge.ts+12 −10 modified@@ -8,15 +8,17 @@ export type DeepPartial<T> = { * @param overrides */ export function deepMerge<T>(defaults: T, overrides: DeepPartial<T>): void { - Object.keys(overrides).forEach((key) => { - const defaultValue = (defaults as any)[key]; - const overrideValue = (overrides as any)[key]; - if (overrideValue !== undefined) { - if (defaultValue === undefined || typeof defaultValue !== 'object' || typeof overrideValue !== 'object' || Array.isArray(defaultValue)) { - (defaults as any)[key] = overrideValue; - } else { - deepMerge(defaultValue, overrideValue as DeepPartial<T>); + Object.keys(overrides) + .filter((key) => key !== '__proto__') + .forEach((key) => { + const defaultValue = (defaults as any)[key]; + const overrideValue = (overrides as any)[key]; + if (overrideValue !== undefined) { + if (defaultValue === undefined || typeof defaultValue !== 'object' || typeof overrideValue !== 'object' || Array.isArray(defaultValue)) { + (defaults as any)[key] = overrideValue; + } else { + deepMerge(defaultValue, overrideValue as DeepPartial<T>); + } } - } - }); + }); }
packages/util/test/unit/deep-merge.spec.ts+13 −0 modified@@ -60,4 +60,17 @@ describe(deepMerge.name, () => { const expected: Foo = { foo: '1' }; expect(foo).deep.eq(expected); }); + + it('should prevent prototype pollution', () => { + // Arrange + const someObj = {}; + + // Act + // eslint-disable-next-line @typescript-eslint/no-unsafe-argument + deepMerge(someObj, JSON.parse('{"__proto__":{"pollutedKey":123}}')); + + // Assert + // @ts-expect-error This polluted key shouldn't be there, that's the point + expect({}.__proto__.pollutedKey).undefined; + }); });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-9j5q-479x-43g2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-57085ghsaADVISORY
- gist.github.com/tariqhawis/f59355f62dad6f8b53b42317f143ba0cnvdWEB
- github.com/stryker-mutator/stryker-js/blob/7270f111ff36d6b18669302f5702fd42f664d53e/CHANGELOG.mdghsaWEB
- github.com/stryker-mutator/stryker-js/commit/f7b34bfbbde33e45bc213a2f6058bf0c5bf6bce7ghsaWEB
- github.com/stryker-mutator/stryker-js/issues/5144ghsaWEB
News mentions
0No linked articles in our index yet.