CVE-2024-38986: Critical severity 75lb deep-merge vulnerability
Deep-merge could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the merge methods of lodash to merge objects. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
Other sources
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
— MITRE
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2024-38986?
CVE-2024-38986 is classified as a high severity vulnerability due to its potential to allow remote code execution.
How do I fix CVE-2024-38986?
To fix CVE-2024-38986, update the @75lb/deep-merge package to version 1.1.2 or later.
Which versions of deep-merge are affected by CVE-2024-38986?
CVE-2024-38986 affects versions of the @75lb/deep-merge package up to and including 1.1.1.
What is the impact of CVE-2024-38986 on my system?
The impact of CVE-2024-38986 could allow an attacker to execute arbitrary code on the system due to a prototype pollution flaw.
Which products are affected by CVE-2024-38986?
CVE-2024-38986 affects the IBM Cognos Dashboards on Cloud Pak for Data up to version 5.0.0 and 4.8.0 as well as the specific npm package @75lb/deep-merge.