Platform
nodejs
Component
mixin-deep
Opgelost in
1.3.3
1.3.2
CVE-2019-10746 describes a Prototype Pollution vulnerability affecting the mixin-deep Node.js package. This vulnerability allows attackers to modify the prototype of the JavaScript Object class, potentially leading to unexpected behavior and security compromises across applications. Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable. Mitigation involves upgrading to a patched version.
Prototype Pollution vulnerabilities are particularly dangerous because they can silently introduce malicious properties into the global Object prototype. This means that any code using Object methods or properties can be affected, potentially leading to arbitrary code execution or denial of service. An attacker could inject properties that alter the behavior of built-in JavaScript functions, leading to unpredictable application behavior. The impact extends beyond the mixin-deep package itself, affecting any application that uses it and relies on the integrity of the JavaScript prototype.
This vulnerability gained significant attention due to its potential for widespread impact. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease with which the prototype can be polluted. The vulnerability was publicly disclosed on August 27, 2019. Active exploitation campaigns are not widely reported, but the availability of PoCs increases the risk of opportunistic attacks.
Applications built with Node.js that utilize the mixin-deep package are at risk. This includes projects that rely on this package for deep object merging or manipulation. Specifically, projects with weak input validation or those that directly use the mixinDeep function without proper sanitization are particularly vulnerable.
• nodejs / supply-chain:
npm list mixin-deep• nodejs / supply-chain:
npm audit mixin-deep• nodejs / supply-chain:
grep -r 'mixinDeep(' node_modules/mixin-deepdisclosure
patch
Exploit Status
EPSS
1.13% (78% percentiel)
CVSS-vector
The primary mitigation for CVE-2019-10746 is to upgrade the mixin-deep package to version 2.0.1 or later, or to version 1.3.2 if using the 1.x branch. If upgrading is not immediately feasible, consider implementing input validation to sanitize data passed to the mixinDeep function, preventing attackers from injecting malicious properties. While not a complete solution, this can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it's a prototype pollution issue. After upgrading, confirm the fix by running tests that utilize the mixinDeep function with various input payloads to ensure no unexpected prototype modifications occur.
Actualice la dependencia mixin-deep a la versión 1.3.2 o superior, o a la versión 2.0.1 o superior. Esto corrige la vulnerabilidad de Prototype Pollution. Ejecute `npm install mixin-deep@latest` o `yarn upgrade mixin-deep` para obtener la versión más reciente.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-10746 is a CRITICAL Prototype Pollution vulnerability in the mixin-deep Node.js package, allowing attackers to modify the Object prototype and potentially compromise applications.
You are affected if you are using mixin-deep versions prior to 2.0.1 or 1.3.2 in your Node.js project. Check your dependencies with npm list mixin-deep.
Upgrade the mixin-deep package to version 2.0.1 or later, or to version 1.3.2 if using the 1.x branch. Use npm install mixin-deep@latest or npm install [email protected].
While widespread active exploitation is not widely reported, public proof-of-concept exploits exist, increasing the risk of opportunistic attacks.
Refer to the mixin-deep project's GitHub repository for updates and advisories: https://github.com/mixin/mixin-deep
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.