All versions of `defaults-deep` are vulnerable to prototype pollution. Provided certain input `defaults-deep` can add or modify properties of the `Object` prototype. These properties will be present on all objects.

## Recommendation

As no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.

Affected Packages

npm defaults-deep

Affected versions: 0 (last affected: 0.2.4)

Related CVEs

CVE-2018-16486

Key Information

GHSA ID

GHSA-pjxw-22xf-6pwc

Published

February 7, 2019 6:16 PM

Last Modified

September 12, 2023 9:05 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

defaults-deep

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.