CVE-2021-28860

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-28860

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28860.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-28860

Aliases

GHSA-r5cq-9537-9rpf

Related

GHSA-79jw-6wg7-r9g4

Published

2021-05-03T12:15:07.467Z

Modified

2026-04-02T06:48:50.779472Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

References

Affected packages

Git / github.com/adaltas/node-mixme

Affected ranges

Type

GIT

Repo

https://github.com/adaltas/node-mixme

Events

Introduced

Fixed

0ae91325065dd8693eb457492c210ff9a3fa6f7b

Fixed

cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.5.1"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.1.0

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.5

v0.4.0

v0.5.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28860.json"