CVE-2021-29491 – mixme

Package

Manager: npm
Name: mixme
Vulnerable Version: >=0 <0.5.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Use of Potentially Dangerous Function in mixme ### Impact In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS). ### Patches The problem is corrected starting with version 0.5.1. ### References Issue: https://github.com/adaltas/node-mixme/issues/1 Commit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028

Metadata

Created: 2021-05-06T15:45:39Z
Modified: 2021-05-07T21:13:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-79jw-6wg7-r9g4/GHSA-79jw-6wg7-r9g4.json
CWE IDs: ["CWE-913"]
Alternative ID: GHSA-79jw-6wg7-r9g4
Finding: F039
Auto approve: 1