Cyber Resilience

CVE-2021-26707

Critical

Published: 02 June 2021

Published
02 June 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0109 78.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-26707 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Merge-Deep Project Merge-Deep. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 21.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this…

more

library.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

merge-deep project
merge-deep
≤ 3.0.3
netapp
e-series performance analyzer
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References