CVE-2018-16469
Prototype Pollution vulnerability in merge (npm)

Prototype Pollution No known exploit

What is CVE-2018-16469 About?

This vulnerability is a Prototype Pollution flaw in `merge` versions prior to 1.2.1. It allows attackers to modify or add properties to the Object prototype, which can lead to various integrity or availability issues across the application. Exploitation can be relatively easy if attacker-controlled input is passed to the vulnerable function.

Affected Software

merge <1.2.1

Technical Details

The merge.recursive function in affected versions of the merge library does not properly sanitize input, specifically when handling property names. An attacker can craft a malicious input that includes the __proto__ property within an object intended for merging. When merge.recursive processes this input, it will interpret __proto__ as a legitimate property to merge, inadvertently adding or modifying properties on the global Object.prototype. This means that any new object created thereafter will inherit these malicious properties, leading to widespread impact throughout the application.

What is the Impact of CVE-2018-16469?

Successful exploitation may allow attackers to corrupt application data, bypass security controls, or cause a denial of service due to unexpected object behavior.

What is the Exploitability of CVE-2018-16469?

Exploitation of this prototype pollution vulnerability requires the attacker to be able to supply malicious input to the merge.recursive function. The complexity is low, as it typically involves sending a crafted JSON payload. Authentication requirements depend on whether the vulnerable function can be reached by an unauthenticated user or only an authenticated one. No specific privileges are necessary beyond the ability to interact with the application's input processing. It is primarily a remote vulnerability if the input comes from an external source, but could also be local if an application processes untrusted local files. The main risk factor is the application's reliance on unsanitized user input in data merging operations.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2018-16469?

Available Upgrade Options

  • merge
    • <1.2.1 → Upgrade to 1.2.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-16469?

Similar Vulnerabilities: CVE-2019-11358 , CVE-2019-10744 , CVE-2020-28282 , CVE-2020-8270 , CVE-2021-23351

All Rights reserved 2025
Privacy Policy