[vulnerability] All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge

[ekelvin]

In absence of a security policy I am creating the issue here.
CVE-2020-28499
https://nvd.nist.gov/vuln/detail/CVE-2020-28499#match-6281551

[matheo]

@ekelvin what does the library need to avoid Prototype Pollution completely? this?:

- if (key === '__proto__' || key === 'constructor' || key === 'prototype')
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype' || key === 'toString' || key === 'hasOwnProperty')

[samydavd]

Hi @matheo, can you publish your repository in npm registry?

Otherwise, there is this other vulnerability: CVE-2021-23397 (https://nvd.nist.gov/vuln/detail/CVE-2021-23397).

Although I know this vulnerability is about another library but that came up running the dependency check over this merge library!

I don't know if this fix solves the problem

[juanrgm]

The CVE (GHSA-7wpw-2hjm-89gp) says:

• Affected versions < 2.1.1
• Patched versions 2.1.1

What is the problem?