CVE-2022-24802 in deepmerge-tsinfo

Summary

by MITRE • 04/01/2022

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in version 4.0.2. There are no known workarounds for this issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/05/2022

The CVE-2022-24802 vulnerability affects deepmerge-ts, a popular typescript library designed for deep merging of javascript objects. This library serves as a utility component in numerous applications and development environments where object manipulation and data structure consolidation are required. The vulnerability specifically resides within the file deepmerge.ts and manifests through the function defaultMergeRecords(), which processes object merging operations. The flaw represents a prototype pollution vulnerability that can be exploited to manipulate the prototype of objects within the javascript runtime environment, potentially leading to unexpected behavior and security implications for applications that rely on this library.

Prototype pollution occurs when an attacker can manipulate the prototype of an object, which can lead to various security consequences including but not limited to denial of service, code execution, or data manipulation. The vulnerability in deepmerge-ts allows attackers to inject properties into the Object.prototype through the defaultMergeRecords function, which can affect all objects that inherit from Object.prototype. This type of vulnerability is particularly dangerous because it can be exploited in applications that use the library for processing user-provided input or configuration data, where the merging operation might inadvertently pollute the prototype chain. The vulnerability has been classified under CWE-471, which specifically addresses the weakness of "Modification of Assumed-Immutable Data" and falls within the broader category of prototype pollution attacks.

The operational impact of this vulnerability extends beyond simple library functionality, as it can compromise the integrity and security of applications that utilize deepmerge-ts. When exploited, prototype pollution can enable attackers to modify the behavior of core javascript objects and potentially execute arbitrary code within the application context. This risk is particularly elevated in environments where the library processes untrusted data or where applications rely heavily on object merging operations. The vulnerability affects all versions prior to 4.0.2, making it critical for organizations to assess their dependency trees and ensure all instances of deepmerge-ts are updated to the patched version. The lack of known workarounds means that organizations cannot simply modify their code to avoid the vulnerability while continuing to use affected versions.

Mitigation strategies for CVE-2022-24802 require immediate action to upgrade to version 4.0.2 or later of the deepmerge-ts library. Organizations should conduct comprehensive dependency audits to identify all instances of the vulnerable library within their applications and development environments. Security teams should also implement monitoring for prototype pollution patterns in their applications and consider implementing input validation and sanitization measures as defensive programming practices. The vulnerability aligns with ATT&CK technique T1548.005, which covers "Server Software Component: Prototype Pollution," and represents a common vector for privilege escalation attacks in web applications. Additionally, organizations should consider implementing software composition analysis tools to proactively identify and remediate similar vulnerabilities in their software supply chain, as prototype pollution vulnerabilities often remain undetected until exploitation occurs. The patch addresses the core issue by preventing the propagation of malicious properties into object prototypes during the merging process, ensuring that the library maintains proper object isolation and prevents unauthorized prototype modifications.

Responsible

GitHub, Inc.

Reservation

02/10/2022

Disclosure

04/01/2022

Moderation

accepted

CPE

ready

EPSS

0.01612

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!