CVE-2023-26158

Name of the Vulnerable Software and Affected Versions mockjs versions prior to a version with the fixed Util.extend function

Description The issue arises from a missing check in the Util.extend function, allowing Prototype Pollution. This occurs when an attribute resolves to the object prototype, enabling the addition or modification of attributes on an object prototype. As a result, attributes can be created that exist on every object, or critical attributes can be replaced with malicious ones. This is particularly problematic if the software relies on the existence or non-existence of certain attributes or uses pre-defined attributes of the object prototype, such as hasOwnProperty, toString, or valueOf. User-controlled inputs inside the extend() method of Mock.Handler, Mock.Random, Mock.RE.Handler, or Mock.Util can be exploited.

Recommendations To resolve the issue, add a denylist of dangerous attributes to the Util.extend function. Specifically, add the line if ([" proto ", "constructor", "prototype"].includes(name)) continue to eliminate this weakness. This modification will prevent the exploitation of the Prototype Pollution vulnerability.