CVE-2019-10746

CRITICAL

Mixin-deep < 1.3.2 - Prototype Pollution

Title source: rule

Description

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

References (4)

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/

Scores

CVSS v3 9.8

EPSS 0.0113

EPSS Percentile 78.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88

Status published

Affected Products (6)

mixin-deep_project/mixin-deep < 1.3.2

mixin-deep_project/mixin-deep

fedoraproject/fedora

oracle/communications_cloud_native_core_network_function_cloud_native_environment

npm/mixin-deep < 1.3.2npm

Timeline

Published Aug 23, 2019

Tracked Since Feb 18, 2026