OsVault/npm/merge

npm9 critical

merge

42 known vulnerabilities · 9 critical · 8 high

CVE-2018-16469HIGH

Prototype Pollution in merge

Published Nov 1, 2018

CVE-2020-28499HIGH

Prototype Pollution in merge

Published May 4, 2021

CVE-2018-3722HIGH

Prototype Pollution in merge-deep

Published Jul 26, 2018

CVE-2021-25916CRITICAL

Prototype pollution vulnerability in 'patchmerge'

Published Oct 13, 2021

CVE-2018-3752CRITICAL

Prototype Pollution in merge-options

Published Oct 9, 2018

CVE-2022-25907HIGH

ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution

Published Aug 10, 2022

CVE-2024-38996CRITICAL

Prototype pollution in ag-grid-community via the _.mergeDeep function

Published Jul 1, 2024

CVE-2021-23421MEDIUM

Prototype Pollution in merge-change

Published Sep 1, 2021

CVE-2026-34221CRITICAL

Risk: 45.53/100

MikroORM has Prototype Pollution in Utils.merge

Published Mar 29, 2026

CVE-2025-3193

algoliasearch-helper is vulnerable to Prototype Pollution in _merge()

Published Sep 27, 2025

CVE-2026-33660

n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode

Published Mar 25, 2026

MAL-2026-316

Malicious code in tailwind-merge-v3 (npm)

Published Jan 16, 2026

CVE-2020-8268HIGH

Prototype pollution in json8-merge-patch

Published May 10, 2021

CVE-2020-28268HIGH

Prototype pollution in controlled-merge

Published May 18, 2021

CVE-2021-26707CRITICAL

Prototype pollution in Merge-deep

Published Jun 7, 2021

CVE-2022-24802HIGH

Prototype Pollution in deepmerge-ts

Published Apr 1, 2022

CVE-2024-57083

Redoc Prototype Pollution via `Module.mergeObjects` Component

Published Mar 28, 2025

GHSA-3jc6-6r48-v6qf

Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization

Published Apr 20, 2026

CVE-2018-3751CRITICAL

Prototype Pollution in merge-recursive

Published Sep 18, 2018

CVE-2021-23470HIGH

Prototype Pollution in putil-merge

Published Feb 5, 2022

CVE-2021-3645CRITICAL

merge vulnerable to Prototype Pollution

Published Sep 13, 2021

CVE-2025-64718

js-yaml has prototype pollution in merge (<<)

Published Nov 14, 2025

CVE-2021-25953CRITICAL

Prototype Pollution in putil-merge

Published Dec 10, 2021

CVE-2021-39227MEDIUM

Prototype Pollution in the merge and clone helper methods

Published Sep 20, 2021

MAL-2022-1419

Malicious code in babelhelspevvuejsxmergeprops (npm)

Published Aug 19, 2022

CVE-2018-3753CRITICAL

Prototype Pollution in async merge-object

Published Sep 18, 2018

CVE-2026-25056

n8n Merge Node has Arbitrary File Write leading to RCE

Published Feb 4, 2026

CVE-2025-66219

willitmerge has a Command Injection vulnerability

Published Nov 26, 2025

CVE-2026-25639

Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Published Feb 9, 2026

CVE-2021-23397MEDIUM

@ianwalter/merge Prototype Pollution via `merge` function

Published Jul 26, 2022

MAL-2022-4560

Malicious code in mergeseekrangegaps (npm)

Published Jun 20, 2022

CVE-2021-23700MEDIUM

Prototype Pollution in merge-deep2.

Published Dec 16, 2021

MAL-2022-1688

Malicious code in broccolirmergetes (npm)

Published Aug 19, 2022

MAL-2025-3629

Malicious code in jest-coverage-merge (npm)

Published May 6, 2025

MAL-2022-6883

Malicious code in uxpin-merge-ms-fabric (npm)

Published Jun 20, 2022

CVE-2026-27497

n8n has Potential Remote Code Execution via Merge Node

Published Feb 25, 2026

CVE-2021-23417MEDIUM

Prototype Pollution in deepmergefn

Published Aug 10, 2021

MAL-2022-441

Malicious code in @msmg/vue-merge-data-qa (npm)

Published Jun 20, 2022

MAL-2025-163

Malicious code in automerge-action (npm)

Published Jan 20, 2025

MAL-2026-315

Malicious code in tailwind-merge-v2 (npm)

Published Jan 16, 2026

MAL-2024-11877

Malicious code in label-merge-conflicts-action (npm)

Published Dec 16, 2024

MAL-2026-1297

Malicious code in json-merge-tool (npm)

Published Mar 9, 2026

Check your entire dependency tree at onceRun dependency scan →