CVE-2019-10746

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions mixin-deep versions prior to 1.3.2 mixin-deep versions prior to 2.0.1

Description The issue concerns Prototype Pollution, where the mixin-deep function can be tricked into adding or modifying properties of Object.prototype using a constructor payload. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. The mixinDeep function fails to validate which Object properties it updates.

Recommendations If you are using mixin-deep 2.x, upgrade to version 2.0.1 or later. If you are using mixin-deep 1.x, upgrade to version 1.3.2 or later.

Exploit

Fix

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88

Related Identifiers

ALSA-2021:0549

CESA-2021_0549

CVE-2019-10746

GHSA-FHJF-83WG-R2J9

RHSA-2021:0485

RHSA-2021:0549

RHSA-2021_0549

RLSA-2021:0549

SNYK-JS-MIXINDEEP-450212

Affected Products

Almalinux

Centos

Red Hat

Rocky Linux

Mixin-Deep

CVE-2019-10746

Weakness Enumeration

Related Identifiers

Affected Products

References · 35