Description

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

Remediation

References

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373

https://snyk.io/vuln/SNYK-JS-MOUT-1014544

https://github.com/mout/mout/blob/master/src/object/deepMixIn.js

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374

https://github.com/mout/mout/blob/master/src/object/deepFillIn.js

Related Vulnerabilities

CVE-2023-0842 Vulnerability in maven package org.webjars.npm:xml2js

CVE-2022-4111 Vulnerability in npm package tooljet

CVE-2022-35961 Vulnerability in npm package @openzeppelin/contracts-upgradeable

CVE-2020-8127 Vulnerability in maven package org.webjars.npm:reveal.js

CVE-2020-8203 Vulnerability in npm package @sailshq/lodash

Severity

High

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Exploit Third Party Advisory