CVE-2020-7616 – express-mock-middleware

Package

Manager: npm
Name: express-mock-middleware
Vulnerable Version: >=0 <=0.0.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00318 pctl0.54249

Details

Improperly Controlled Modification of Dynamically-Determined Object Attributes in express-mock-middleware express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk.

Metadata

Created: 2021-12-09T19:57:29Z
Modified: 2021-07-29T15:53:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-v39h-qm32-8gwq/GHSA-v39h-qm32-8gwq.json
CWE IDs: ["CWE-1321", "CWE-915"]
Alternative ID: GHSA-v39h-qm32-8gwq
Finding: F390
Auto approve: 1