Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXYzOWgtcW0zMi04Z3dx
Improperly Controlled Modification of Dynamically-Determined Object Attributes in express-mock-middleware
express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the Object.prototype. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by express-mock-middleware. As such, this is considered to be a low risk.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXYzOWgtcW0zMi04Z3dx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-v39h-qm32-8gwq, CVE-2020-7616
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7616
- https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39
- https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120
- https://github.com/advisories/GHSA-v39h-qm32-8gwq
Blast Radius: 5.3
Affected Packages
npm:express-mock-middleware
Dependent packages: 1Dependent repositories: 10
Downloads: 176 last month
Affected Version Ranges: <= 0.0.6
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.5, 0.0.6