Description
Versions of angular prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function merge() does not restrict the modification of an Object’s prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
Update the angular package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.7.9
- Patched version(s): 1.7.9
References
- GHSA-89mq-4x47-5v83
- snyk.io
- lists.apache.org
- CVE-2019-10768
- CWE-1321
- CWE-20
- CWE-915
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- node-opcua-alarm-condition prototype pollution vulnerability - CVE-2024-57086
- Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo - CVE-2024-21548
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) - CVE-2024-52810
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 3 - CVE-2024-52810
- Tags:
- npm
- angular
Anything's wrong? Let us know Last updated on November 20, 2025