Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZoamYtODN3Zy1yMmo5

Prototype Pollution in mixin-deep

Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Recommendation

If you are using mixin-deep 2.x, upgrade to version 2.0.1 or later.
If you are using mixin-deep 1.x, upgrade to version 1.3.2 or later.

Permalink: https://github.com/advisories/GHSA-fhjf-83wg-r2j9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZoamYtODN3Zy1yMmo5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: about 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00739
EPSS Percentile: 0.81102

Identifiers: GHSA-fhjf-83wg-r2j9, CVE-2019-10746
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10746
• https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
• https://lists.fedoraproject.org/archives/list/[email protected]/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/
• https://www.npmjs.com/advisories/1013
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
• https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50
• https://github.com/advisories/GHSA-fhjf-83wg-r2j9

Repository: https://github.com/jonschlinkert/mixin-deep
Blast Radius: 58.7

Affected Packages