We found results for “


Date: May 14, 2021


Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.


The NPM module `deep-override` can be abused by Prototype Pollution vulnerability since the function `override()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or be able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

The `override()` function accepts `rawArgs` as arguments. Due to the absence of validation on the values passed into the argument, an attacker can supply a malicious value by adjusting the value to include the `__proto__` property. Since there is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property `polluted` will be directly assigned to the new object thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the valued would be substituted as "Yes! It's Polluted" as it had been polluted.

PoC Code

var deepOverride = require("deep-override")

var obj = {} console.log("Before : " + obj.polluted);

deepOverride(obj, JSON.parse('{ "__proto__": { "polluted": "Yes! Its Polluted" }}'));

console.log("After : " + {}.polluted);

Affected Environments

1.0.0 to 1.0.1


Upgrade to version 1.0.2

Language: JS

Good to know:


Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')


Upgrade Version

Upgrade to version deep-override - 1.0.2

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: