// For flags

CVE-2019-10746

nodejs-mixin-deep: prototype pollution in function mixin-deep

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

mixin-deep es vulnerable a Prototype Pollution en versiones anteriores a 1.3.2 y 2.0.0. La función mixin-deep podría ser engañada para agregar o modificar propiedades de Object.prototype usando una carga útil del constructor.

A flaw was found in Nodejs's mixin-deep prior to versions 1.3.2 and 2.0.0. The mixin-deep function could be used to add or modify properties of the Object.prototype. The highest threat from this vulnerability is to system availability.

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, denial of service, and use-after-free vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-07-11 First Exploit
  • 2019-04-03 CVE Reserved
  • 2019-08-23 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-01-13 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
  • CWE-471: Modification of Assumed-Immutable Data (MAID)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mixin-deep Project
Search vendor "Mixin-deep Project"
 Mixin-deep
Search vendor "Mixin-deep Project" for product "Mixin-deep"
 < 1.3.2
Search vendor "Mixin-deep Project" for product "Mixin-deep" and version " < 1.3.2"
node.js
Affected
Mixin-deep Project
Search vendor "Mixin-deep Project"
 Mixin-deep
Search vendor "Mixin-deep Project" for product "Mixin-deep"
 2.0.0
Search vendor "Mixin-deep Project" for product "Mixin-deep" and version "2.0.0"
node.js
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 30
Search vendor "Fedoraproject" for product "Fedora" and version "30"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 31
Search vendor "Fedoraproject" for product "Fedora" and version "31"
-
Affected
Oracle
Search vendor "Oracle"
 Communications Cloud Native Core Network Function Cloud Native Environment
Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment"
 1.4.0
Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.4.0"
-
Affected