CVE-2019-10746

CRITICAL

mixin-deep < 1.3.2 - Prototype Pollution via Constructor Payload

Title source: llm

Description

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

References (4)

Core 4

Core References

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212

Scores

CVSS v3 9.8

EPSS 0.0354

EPSS Percentile 87.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-88

Status published

Products (6)

fedoraproject/fedora 30

fedoraproject/fedora 31

mixin-deep_project/mixin-deep 2.0.0

mixin-deep_project/mixin-deep < 1.3.2

npm/mixin-deep 0 - 1.3.2npm

oracle/communications_cloud_native_core_network_function_cloud_native_environment 1.4.0

Published Aug 23, 2019

Tracked Since Feb 18, 2026