EIQ-2019-0031#
ID |
EIQ-2019-0031 |
|---|---|
CVE |
|
Description |
mixin-deep enables prototype pollution |
Date |
04 Sep 2019 |
Severity |
4 - CRITICAL |
CVSSv3 score |
9.8 |
Status |
✅ All versions |
Assessment |
mixin-deep versions 1.3.1 and earlier, and versions 2.0.0 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability through the An attacker could add or modify object prototype properties of Modified properties are propagated to all objects through inheritance. An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack. Note This vulnerability is a false positive: it affects a sub-dependency of Storybook. Storybook is used only in development. It is never packaged in our production code. |
Mitigation |
Upgrade mixin-deep to version 1.3.2 or later, or version 2.0.1 or later. At the moment, it is not possible to globally upgrade mixin-deep, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers. |
Affected versions |
None |
Notes |
For more information, see: |