Vulnerability Details CVE-2020-28499
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 66.4%
CVSS Severity
CVSS v3 Score 7.3
CVSS v2 Score 7.5
References
- https://github.com/yeikos/js.merge/blob/master/src/index.ts%23L64
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071049
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
- https://vuldb.com/?id.170146
- https://github.com/yeikos/js.merge/blob/master/src/index.ts%23L64
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071049
- https://snyk.io/vuln/SNYK-JS-MERGE-1042987
Products affected by CVE-2020-28499
-
cpe:2.3:a:merge_project:merge:1.0.0
-
cpe:2.3:a:merge_project:merge:1.0.2
-
cpe:2.3:a:merge_project:merge:1.1.0
-
cpe:2.3:a:merge_project:merge:1.1.1
-
cpe:2.3:a:merge_project:merge:1.1.2
-
cpe:2.3:a:merge_project:merge:1.1.3
-
cpe:2.3:a:merge_project:merge:1.2.0
-
cpe:2.3:a:merge_project:merge:1.2.1
-
cpe:2.3:a:merge_project:merge:2.1.0