NodeJS/mixin-deep/1.1.3
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone. No dependencies.
https://www.npmjs.com/package/mixin-deep
MIT
3 Security Vulnerabilities
Prototype Pollution in mixin-deep
Versions of mixin-deep
before 1.3.1 are vulnerable to prototype pollution via merging functions.
Recommendation
Update to version 1.3.1 or later.
Prototype Pollution in mixin-deep
- https://nvd.nist.gov/vuln/detail/CVE-2019-10746
- https://github.com/advisories/GHSA-fhjf-83wg-r2j9
- https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/
- https://www.npmjs.com/advisories/1013
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
- https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50
Versions of mixin-deep
prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep
function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
Recommendation
If you are using mixin-deep
2.x, upgrade to version 2.0.1 or later.
If you are using mixin-deep
1.x, upgrade to version 1.3.2 or later.
mixin-deep prototype pollution
mixin-deep node module before 1.3.1 suffers from a prototype pollution vulnerability via merging functions, which allows a malicious user to modify the prototype of 'Object' via proto, causing the addition or modification of an existing property that will exist on all objects.
13 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.3.1 | MIT | 1 | 2018-02-07 - 16:28 | over 6 years |
2.0.0 | MIT | 1 | 2018-07-11 - 14:11 | almost 6 years |
1.0.0 | MIT | 3 | 2015-02-25 - 11:12 | about 9 years |
1.1.0 | MIT | 3 | 2015-04-30 - 00:52 | about 9 years |
0.1.0 | MIT | 3 | 2014-09-22 - 15:35 | over 9 years |
1.1.2 | MIT | 3 | 2015-08-21 - 06:31 | over 8 years |
1.1.3 | MIT | 3 | 2015-08-29 - 02:08 | over 8 years |
1.2.0 | MIT | 3 | 2017-03-02 - 13:40 | about 7 years |
1.0.1 | MIT | 3 | 2015-02-25 - 11:15 | about 9 years |
1.1.1 | MIT | 3 | 2015-05-28 - 07:48 | almost 9 years |
1.3.0 | MIT | 3 | 2017-12-09 - 06:49 | over 6 years |
2.0.1 | MIT | 2019-06-19 - 17:47 | almost 5 years | |
1.3.2 | MIT | 2019-06-24 - 20:33 | almost 5 years |