CVE-2022-21213 – mout

Package

Manager: npm
Name: mout
Vulnerable Version: >=0 <1.2.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

EPSS: 0.01253 pctl0.78574

Details

Prototype Pollution in mout This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).

Metadata

Created: 2022-06-18T00:00:20Z
Modified: 2022-06-20T22:33:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-vvv8-xw5f-3f88/GHSA-vvv8-xw5f-3f88.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-vvv8-xw5f-3f88
Finding: F390
Auto approve: 1