Описание
Prototype Pollution in mixme
Node.js mixme 0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
Ссылки
- https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
- https://nvd.nist.gov/vuln/detail/CVE-2021-28860
- https://github.com/adaltas/node-mixme/issues/1
- https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
- https://security.netapp.com/advisory/ntap-20210618-0005
- https://www.npmjs.com/~david
- http://nodejs.com
Пакеты
Наименование
mixme
npm
Затронутые версииВерсия исправления
< 0.5.1
0.5.1
Связанные уязвимости
CVSS3: 9.1
nvd
почти 5 лет назад
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).