GHSA-fhjf-83wg-r2j9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fhjf-83wg-r2j9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-fhjf-83wg-r2j9/GHSA-fhjf-83wg-r2j9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fhjf-83wg-r2j9
- Aliases
-
- CVE-2019-10746
- SNYK-JS-MIXINDEEP-450212
- Published
- 2019-08-27T17:42:33Z
- Modified
- 2023-11-29T20:55:21Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Prototype Pollution in mixin-deep
- Details
-
Versions of
mixin-deepprior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. ThemixinDeepfunction fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.Recommendation
If you are using
mixin-deep2.x, upgrade to version 2.0.1 or later. If you are usingmixin-deep1.x, upgrade to version 1.3.2 or later. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-10746
- https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
- https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC
- https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
- https://www.npmjs.com/advisories/1013
- https://www.oracle.com//security-alerts/cpujul2021.html
Affected packages
npm / mixin-deep
Package
- Name
- mixin-deep
- View open source insights on deps.dev
- Purl
- pkg:npm/mixin-deep
npm / mixin-deep
Package
- Name
- mixin-deep
- View open source insights on deps.dev
- Purl
- pkg:npm/mixin-deep