Miggo Logo
Miggo Vulnerability Database
CVE-2019-10808

CVE-2019-10808:
Improperly Controlled Modification of Dynamically-Determined Object Attributes in utilitify

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10808
GHSA ID
GHSA-9534-h433-2rjf
EPSS Score
0.72377%
CWE
CWE-915
Published
5/7/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
utilitifynpm< 1.0.31.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around the merge functionality as explicitly stated in all advisory descriptions. While the actual patch code isn't shown, the Snyk report provides a clear proof-of-concept using mergeDeep and the CVE description specifically mentions the merge method. This function would appear in runtime profiling when processing malicious merge operations. The lack of prototype chain checks in object property merging (visible in the PoC's ability to set proto properties) makes mergeDeep the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

utiliti*y prior to *.*.* *llows mo*i*i**tion o* o*j**t prop*rti*s. T** m*r** m*t*o* *oul* ** tri*k** into ***in* or mo*i*yin* prop*rti*s o* t** O*j**t.prototyp*.

Reasoning

T** vuln*r**ility **nt*rs *roun* t** m*r** *un*tion*lity *s *xpli*itly st*t** in *ll **visory **s*riptions. W*il* t** **tu*l p*t** *o** isn't s*own, t** Snyk r*port provi**s * *l**r proo*-o*-*on**pt usin* m*r*****p *n* t** *V* **s*ription sp**i*i**ll