CVE-2019-10745 — assign-deep Vulnerable to Prototype Pollution

Description

Versions of `assign-deep` prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The `assign` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. ## Recommendation Upgrade to versions 1.0.1, 0.4.8, or later.

How to fix CVE-2019-10745

To remediate CVE-2019-10745, upgrade the affected package to a fixed version below.

—upgrade to 0.4.8 or later

Is CVE-2019-10745 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.4.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10745
PATCHgithub.com/jonschlinkert/assign-deep
WEBgithub.com/jonschlinkert/assign-deep/commit/8e3cc4a34246733672c71e96532105384937e56c
WEBgithub.com/jonschlinkert/assign-deep/commit/90bf1c551d05940898168d04066bbf15060f50cc