GHSA-79jw-6wg7-r9g4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-79jw-6wg7-r9g4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-79jw-6wg7-r9g4/GHSA-79jw-6wg7-r9g4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-79jw-6wg7-r9g4
- Aliases
-
- CVE-2021-29491
- Related
- Published
- 2021-05-06T15:45:39Z
- Modified
- 2025-01-08T10:42:08.031647Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
- Summary
- Use of Potentially Dangerous Function in mixme
- Details
-
Impact
In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
Patches
The problem is corrected starting with version 0.5.1.
References
Issue: https://github.com/adaltas/node-mixme/issues/1 Commit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
- Database specific
{ "nvd_published_at": "2021-05-06T13:15:00Z", "cwe_ids": [ "CWE-913" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-05-05T18:39:38Z" }- References
Affected packages
npm / mixme
Package
- Name
- mixme
- View open source insights on deps.dev
- Purl
- pkg:npm/mixme