Description
lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., __proto__) can be copied during a merge or clone operation.
References (1)
Core 1
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/aheckmann/mquery/commit/792e69fd0a7281a0300be5cade5a6d7c1d468ad4
Scores
CVSS v3
5.3
EPSS
0.0026
EPSS Percentile
49.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
Status
published
Products (2)
mquery_project/mquery
< 3.2.3
npm/mquery
0 - 3.2.3npm
Published
Dec 11, 2020
Tracked Since
Feb 18, 2026