This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
https://github.com/firebase/firebase-js-sdk/pull/4001
https://github.com/firebase/firebase-js-sdk/commit/9cf727fcc3d049551b16ae0698ac33dc2fe45ada
https://snyk.io/vuln/SNYK-JS-FIREBASEUTIL-1038324
Source: Mitre, NVD
Published: 2020-11-16
Updated: 2026-06-17
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
Severity: Medium
Base Score: 5.3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.00169