Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc5anctNndnNy1yOWc0
Use of Potentially Dangerous Function in mixme
Impact
In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
Patches
The problem is corrected starting with version 0.5.1.
References
Issue: https://github.com/adaltas/node-mixme/issues/1
Commit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc5anctNndnNy1yOWc0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Identifiers: GHSA-79jw-6wg7-r9g4, CVE-2021-29491
References:
- https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
- https://nvd.nist.gov/vuln/detail/CVE-2021-29491
- https://security.netapp.com/advisory/ntap-20210622-0002/
- https://github.com/advisories/GHSA-79jw-6wg7-r9g4
Blast Radius: 28.6
Affected Packages
npm:mixme
Dependent packages: 32Dependent repositories: 10,797
Downloads: 3,478,945 last month
Affected Version Ranges: < 0.5.1
Fixed in: 0.5.1
All affected versions: 0.0.1, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.5, 0.4.0, 0.5.0
All unaffected versions: 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.8, 0.5.9, 0.5.10, 1.0.0, 1.1.0