Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1Y3EtOTUzNy05cnBm
Prototype Pollution in mixme
Node.js mixme 0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
Permalink: https://github.com/advisories/GHSA-r5cq-9537-9rpfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1Y3EtOTUzNy05cnBm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 4 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Identifiers: GHSA-r5cq-9537-9rpf, CVE-2021-28860
References:
- https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
- https://nvd.nist.gov/vuln/detail/CVE-2021-28860
- https://github.com/adaltas/node-mixme/issues/1
- https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
- https://www.npmjs.com/~david
- http://nodejs.com
- https://security.netapp.com/advisory/ntap-20210618-0005/
- https://github.com/advisories/GHSA-r5cq-9537-9rpf
Affected Packages
npm:mixme
Versions: < 0.5.1Fixed in: 0.5.1