Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12dnY4LXh3NWYtM2Y4OM4AArtg
Prototype Pollution in mout
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. Note: This vulnerability derives from an incomplete fix of CVE-2020-7792.
Permalink: https://github.com/advisories/GHSA-vvv8-xw5f-3f88JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12dnY4LXh3NWYtM2Y4OM4AArtg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-vvv8-xw5f-3f88, CVE-2022-21213
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-21213
- https://github.com/mout/mout/blob/master/src/object/deepFillIn.js
- https://github.com/mout/mout/blob/master/src/object/deepMixIn.js
- https://snyk.io/vuln/SNYK-JS-MOUT-2342654
- https://github.com/mout/mout/pull/279
- https://github.com/mout/mout/commit/17ffdc2a96417a63a0147156dc045e90d0d14c64
- https://github.com/advisories/GHSA-vvv8-xw5f-3f88
Blast Radius: 34.9
Affected Packages
npm:mout
Dependent packages: 420Dependent repositories: 45,303
Downloads: 1,484,769 last month
Affected Version Ranges: <= 1.2.3
Fixed in: 1.2.4
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3
All unaffected versions: 1.2.4