Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-f9cm-qmx5-m98h

GitHub Security Advisory

Prototype Pollution in merge

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Versions of `merge` before 1.2.1 are vulnerable to prototype pollution. The `merge.recursive` function can be tricked into adding or modifying properties of the Object prototype.

## Recommendation

Update to version 1.2.1 or later.

Affected Packages

npm merge
Affected versions: 0 (fixed in 1.2.1)

Related CVEs

CVE-2018-16469

Key Information

GHSA ID
GHSA-f9cm-qmx5-m98h
Published
November 1, 2018 2:45 PM
Last Modified
September 7, 2023 8:34 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
merge
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.