CVE-2019-10746

Critical

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into…

snyk·CWE-88·Published 2019-08-23

CVSS

9.8

EPSS

0.04

KEV

Exploits

Vendor statements (2)

cve.orgen

217 chars

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

OSV.deven

461 chars

Versions of `mixin-deep` prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The `mixinDeep` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects. ## Recommendation If you are using `mixin-deep` 2.x, upgrade to version 2.0.1 or later. If you are using `mixin-deep` 1.x, upgrade to version 1.3.2 or later.

GHSAen

461 chars

NVDes

225 chars

mixin-deep es vulnerable a Prototype Pollution en versiones anteriores a 1.3.2 y 2.0.0. La función mixin-deep podría ser engañada para agregar o modificar propiedades de Object.prototype usando una carga útil del constructor.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	9.8	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H