EIQ-2019-0031

ID	EIQ-2019-0031
CVE	CVE-2019-10746
Description	mixin-deep enables prototype pollution
Date	04 Sep 2019
Severity	4 - CRITICAL
CVSSv3 score	9.8
Status	All versions
Assessment	mixin-deep versions 1.3.1 and earlier, and versions 2.0.0 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability through the `mixinDeep` function: `mixinDeep`fails to validate updated object properties. An attacker could add or modify object prototype properties of `Object.prototype` with a `constructor` payload. Modified properties are propagated to all objects through inheritance. An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack. This vulnerability is a false positive: i t affects a sub-dependency of Storybook. Storybook is used only in development. It is never packaged in our production code.
Mitigation	Upgrade mixin-deep to version 1.3.2 or later, or version 2.0.1 or later. At the moment, it is not possible to globally upgrade mixin-deep, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.
Affected versions	None
Notes	For more information, see: npm security advisory about the vulnerability Snyk report about the vulnerability GitHub commit with the fix CWE-88 CWE-400

< Back to all security issues and mitigation actions

In release notes 2.5.0