Versions of mixin-deep
prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep
function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
If you are using mixin-deep
2.x, upgrade to version 2.0.1 or later.
If you are using mixin-deep
1.x, upgrade to version 1.3.2 or later.
github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
github.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50
lists.fedoraproject.org/archives/list/[email protected]/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT
lists.fedoraproject.org/archives/list/[email protected]/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC
nvd.nist.gov/vuln/detail/CVE-2019-10746
snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
www.npmjs.com/advisories/1013
www.oracle.com//security-alerts/cpujul2021.html