CVE-2019-10746 — Prototype Pollution in mixin-deep

Description

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

How to fix CVE-2019-10746

To remediate CVE-2019-10746, upgrade the affected package to a fixed version below.

Debian/node-mixin-deep—upgrade to 2.0.1-1 or later
—upgrade to 1.3.2 or later

Is CVE-2019-10746 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.0.1-1
from 0, < 1.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10746
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-10746
WEBgithub.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
WEBgithub.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50