npm package
putil-merge
pkg:npm/putil-merge
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-23470 | — | < 3.8.0 | 3.8.0 | Feb 4, 2022 | This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix | ||
| CVE-2021-25953 | — | >= 1.0.0, < 3.7.0 | 3.7.0 | Jul 14, 2021 | Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution. |
- CVE-2021-23470Feb 4, 2022affected < 3.8.0fixed 3.8.0
This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix
- CVE-2021-25953Jul 14, 2021affected >= 1.0.0, < 3.7.0fixed 3.7.0
Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.