GMS-2018-16: Denial of Service and remote code execution

February 15, 2018

Utilities function in merge-deep can be tricked into modifying the prototype of “Object” when the attacker control part of the structure passed to these function. This can let an attacker add or modify existing property that will exist on all object. This can lead to denial of service or remote code execution.

References

github.com/jonschlinkert/merge-deep/commit/2c33634da7129a5aefcc262d2fec2e72224404e5
hackerone.com/reports/310708

Detect and mitigate GMS-2018-16 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →