CVE-2019-10746
Prototype Pollution vulnerability in mixin-deep (npm)
What is CVE-2019-10746 About?
This vulnerability is a Prototype Pollution issue in `mixin-deep` versions prior to 2.0.1 or 1.3.2. It allows attackers to modify the prototype of built-in JavaScript objects, which can lead to various impacts including denial of service or arbitrary code execution. Exploitation is relatively straightforward if an attacker can control relevant input.
Affected Software
- mixin-deep
- >2.0.0, <2.0.1
- <1.3.2
Technical Details
The mixinDeep function in affected mixin-deep versions fails to validate which Object properties it updates. When mixinDeep is used to merge objects, if an attacker can supply input that contains a __proto__ key or similar prototype-modifying constructs, the function will recursively merge properties into the global Object.prototype. This allows the attacker to add new properties or modify existing ones on all JavaScript objects, potentially corrupting application logic, leading to unexpected behavior, denial of service, or, in some contexts, remote code execution.
What is the Impact of CVE-2019-10746?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript object prototypes, which can lead to denial of service, data corruption, or, in specific application contexts, remote code execution.
What is the Exploitability of CVE-2019-10746?
Exploitation is of moderate complexity. It requires an attacker to provide specially crafted input to an application that uses the vulnerable mixin-deep package, impacting an Object's prototype. No specific authentication or high privileges are typically required if the vulnerable code path is reachable by unauthenticated input. Access can be remote if the application processes user-controlled data using mixin-deep. The primary condition is the use of mixin-deep in a context where user input is merged into objects without proper sanitation or where prototype properties are explicitly allowed. Risk factors include applications that extensively use object merging or deep cloning functions with untrusted data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10746?
About the Fix from Resolved Security
Available Upgrade Options
- mixin-deep
- <1.3.2 → Upgrade to 1.3.2
- mixin-deep
- >2.0.0, <2.0.1 → Upgrade to 2.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://osv.dev/vulnerability/GHSA-fhjf-83wg-r2j9
- https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
- https://nvd.nist.gov/vuln/detail/CVE-2019-10746
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/
- https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
What are Similar Vulnerabilities to CVE-2019-10746?
Similar Vulnerabilities: CVE-2020-15366 , CVE-2020-28282 , CVE-2019-10744 , CVE-2020-7660 , CVE-2021-23343
