Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1Y3EtOTUzNy05cnBm

Prototype Pollution in mixme

Node.js mixme 0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

Permalink: https://github.com/advisories/GHSA-r5cq-9537-9rpf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI1Y3EtOTUzNy05cnBm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: about 1 year ago


CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Identifiers: GHSA-r5cq-9537-9rpf, CVE-2021-28860
References: Repository: https://github.com/adaltas/node-mixme

Affected Packages

npm:mixme
Dependent packages: 32
Dependent repositories: 10,797
Downloads: 3,322,789 last month
Affected Version Ranges: < 0.5.1
Fixed in: 0.5.1
All affected versions: 0.0.1, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.5, 0.4.0, 0.5.0
All unaffected versions: 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.8, 0.5.9, 0.5.10, 1.0.0, 1.1.0