CVE-2020-24939: Prototype pollution in supermixer
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5589%
CWE
Published
12/10/2021
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
supermixer | npm | < 1.0.5 | 1.0.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the merge function's handling of user-controlled objects. The proof of concept demonstrates prototype pollution via mixer.merge() with a 'proto' payload. The fix in commit 94dcc6f explicitly adds guards against 'proto' and 'constructor' keys in the iteratee function within src/mixer.js, confirming this was the vulnerable code path. The added test cases in test/merge.js further validate that these properties were improperly handled before the patch.