Severity: high

    Prototype Pollution

    mixme

    Overview

    Impact

    In affected versions of mixme an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

    Patches

    The problem is corrected starting with version 0.5.1.

    Workarounds

    No

    References

    Issue: https://github.com/adaltas/node-mixme/issues/1 Commit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028

    For more information

    If you have any questions or comments about this advisory:

    Remediation

    Upgrade to version 0.5.1 or later

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      May 6th, 2021
    2. reported

      Reported by Anonymous
      May 6th, 2021