Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc)

Severity:: High

Description

ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. Prior versions were also found to be affected.

Recommendation

Update the ag-grid-enterprise package to the latest compatible version. Followings are version details:

Affected version(s): < 31.3.4
Patched version(s): 31.3.4

References

GHSA-876p-c77m-x2hc
CVE-2024-38996
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js` - CVE-2025-62381
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
Modified package published to npm, containing malware that exfiltrates private key material - CVE-2024-54134

Tags:: npm; ag-grid-enterprise

Anything's wrong? Let us know Last updated on September 04, 2024