EIQ-2019-0031



ID

EIQ-2019-0031

CVE

CVE-2019-10746

Description

mixin-deep enables prototype pollution

Date

04 Sep 2019

Severity

4 - CRITICAL

CVSSv3 score

9.8

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg All versions

Assessment

mixin-deep versions 1.3.1 and earlier, and versions 2.0.0 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability through the mixinDeep function: mixinDeepfails to validate updated object properties.

An attacker could add or modify object prototype properties of Object.prototype with a constructor payload.
Modified properties are propagated to all objects through inheritance.

An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack.

This vulnerability is a false positive: i t affects a sub-dependency of Storybook.
Storybook is used only in development. It is never packaged in our production code.

Mitigation

Upgrade mixin-deep to version 1.3.2 or later, or version 2.0.1 or later.

At the moment, it is not possible to globally upgrade mixin-deep, because it occurs at least once as a sub-dependency.
Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.
We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

Affected versions

None

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.5.0