Platform
nodejs
Component
mixin-deep
Fixed in
1.3.3
1.3.2
CVE-2019-10746 describes a Prototype Pollution vulnerability affecting the mixin-deep Node.js package. This vulnerability allows attackers to modify the prototype of the JavaScript Object class, potentially leading to unexpected behavior and security compromises across applications. Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable. Mitigation involves upgrading to a patched version.
Prototype Pollution vulnerabilities are particularly dangerous because they can silently introduce malicious properties into the global Object prototype. This means that any code using Object methods or properties can be affected, potentially leading to arbitrary code execution or denial of service. An attacker could inject properties that alter the behavior of built-in JavaScript functions, leading to unpredictable application behavior. The impact extends beyond the mixin-deep package itself, affecting any application that uses it and relies on the integrity of the JavaScript prototype.
This vulnerability gained significant attention due to its potential for widespread impact. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease with which the prototype can be polluted. The vulnerability was publicly disclosed on August 27, 2019. Active exploitation campaigns are not widely reported, but the availability of PoCs increases the risk of opportunistic attacks.
Exploit Status
EPSS
1.13% (78% percentile)
CVSS Vector
The primary mitigation for CVE-2019-10746 is to upgrade the mixin-deep package to version 2.0.1 or later, or to version 1.3.2 if using the 1.x branch. If upgrading is not immediately feasible, consider implementing input validation to sanitize data passed to the mixinDeep function, preventing attackers from injecting malicious properties. While not a complete solution, this can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it's a prototype pollution issue. After upgrading, confirm the fix by running tests that utilize the mixinDeep function with various input payloads to ensure no unexpected prototype modifications occur.
Update the mixin-deep dependency to version 1.3.2 or later, or to version 2.0.1 or later. This corrects the Prototype Pollution vulnerability. Run `npm install mixin-deep@latest` or `yarn upgrade mixin-deep` to obtain the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-10746 is a CRITICAL Prototype Pollution vulnerability in the mixin-deep Node.js package, allowing attackers to modify the Object prototype and potentially compromise applications.
You are affected if you are using mixin-deep versions prior to 2.0.1 or 1.3.2 in your Node.js project. Check your dependencies with npm list mixin-deep.
Upgrade the mixin-deep package to version 2.0.1 or later, or to version 1.3.2 if using the 1.x branch. Use npm install mixin-deep@latest or npm install [email protected].
While widespread active exploitation is not widely reported, public proof-of-concept exploits exist, increasing the risk of opportunistic attacks.
Refer to the mixin-deep project's GitHub repository for updates and advisories: https://github.com/mixin/mixin-deep
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.