Use of Potentially Dangerous Function in mixme
Description
Reviewed
May 5, 2021
Published by the National Vulnerability Database
May 6, 2021
Published to the GitHub Advisory Database
May 6, 2021
Last updated
Feb 1, 2023
Impact
In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
Patches
The problem is corrected starting with version 0.5.1.
References
Issue: adaltas/node-mixme#1
Commit: adaltas/node-mixme@cfd5fbf
References