Vulnerability package dependency "defaults-deep"

[i62navpm]

Version

v2.4.3

Reproduction link

https://www.npmjs.com/advisories/778

Steps to reproduce

Please fix this vulnerability in your dependency tree:

nuxt > @nuxt/core > @nuxt/server > serve-placeholder > defaults-deep

What is expected ?

0 vulnerabilities found when audit packages.

As no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.

What is actually happening?

All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects.

Additional comments?

https://hackerone.com/reports/380878

_{This bug report is available on Nuxt community (#c8618)}

[pi0]

Hi. Thanks for the report. This is being addressed fast.

• fix: exclude constructor.prototype jonschlinkert/defaults-deep#5
• https://github.com/jsless/defu

[begueradj]

@pi0 Can you please explain shortly how you fixed that? (I followed the 2 links but ...)

[pi0]

For clarification as also described in CVE-2018-16486 the impact is possibly more depending on the application. and no nuxt users are affected for sure because options to the middleware are not from user input but only from nuxt.config.

For general:

I submitted the fix to prevent accepting contructor.prototype key on defaults-deep but as it is unlikely to fast merge and publish, I created an alternative package that only does what we want.

[stale]

Thanks for your contribution to Nuxt.js!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If you would like this issue to remain open:

1. Verify that you can still reproduce the issue in the latest version of nuxt-edge
2. Comment the steps to reproduce it

Issues that are labeled as 🕐Pending will not be automatically marked as stale.