Description
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.
Remediation
References
https://github.com/mout/mout/blob/master/src/object/deepFillIn.js
https://github.com/mout/mout/blob/master/src/object/deepMixIn.js
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1050374
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050373
https://snyk.io/vuln/SNYK-JS-MOUT-1014544
Related Vulnerabilities
CVE-2023-36479 Vulnerability in maven package org.eclipse.jetty:jetty-servlets
CVE-2022-22968 Vulnerability in maven package org.springframework:spring-context
CVE-2020-15096 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-37259 Vulnerability in npm package matrix-react-sdk
CVE-2021-44878 Vulnerability in maven package org.pac4j:pac4j-core