EIQ-2019-0031#

ID

EIQ-2019-0031

CVE

CVE-2019-10746

Description

mixin-deep enables prototype pollution

Date

04 Sep 2019

Severity

4 - CRITICAL

CVSSv3 score

9.8

Status

✅ All versions

Assessment

mixin-deep versions 1.3.1 and earlier, and versions 2.0.0 and earlier could enable an attacker to inject properties into JavaScript prototype objects (prototype pollution) by exploiting a vulnerability through the mixinDeep function: mixinDeep fails to validate updated object properties.

An attacker could add or modify object prototype properties of Object.prototype with a constructor payload.

Modified properties are propagated to all objects through inheritance.

An attacker could leverage prototype pollution by remotely executing arbitrary code, or by triggering JavaScript exceptions to carry out a denial of service (DoS) attack.

Note

This vulnerability is a false positive: it affects a sub-dependency of Storybook.

Storybook is used only in development. It is never packaged in our production code.

Mitigation

Upgrade mixin-deep to version 1.3.2 or later, or version 2.0.1 or later.

At the moment, it is not possible to globally upgrade mixin-deep, because it occurs at least once as a sub-dependency.

Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.

We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

Affected versions

None

Notes

For more information, see: