Miggo Logo
Miggo Vulnerability Database
CVE-2020-24939

CVE-2020-24939: Prototype pollution in supermixer

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-24939
GHSA ID
GHSA-7prf-vw4p-qr59
EPSS Score
0.5589%
CWE
CWE-1321
Published
12/10/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
supermixernpm< 1.0.51.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the merge function's handling of user-controlled objects. The proof of concept demonstrates prototype pollution via mixer.merge() with a 'proto' payload. The fix in commit 94dcc6f explicitly adds guards against 'proto' and 'constructor' keys in the iteratee function within src/mixer.js, confirming this was the vulnerable code path. The added test cases in test/merge.js further validate that these properties were improperly handled before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* pollution in St*mpit sup*rmix*r *llows *n *tt**k*r to mo*i*y t** prototyp* o* * **s* o*j**t w*i** **n v*ry in s*v*rity **p*n*in* on t** impl*m*nt*tion.

Reasoning

T** vuln*r**ility st*ms *rom t** m*r** *un*tion's **n*lin* o* us*r-*ontroll** o*j**ts. T** proo* o* *on**pt **monstr*t*s prototyp* pollution vi* mix*r.m*r**() wit* * '__proto__' p*ylo**. T** *ix in *ommit ******* *xpli*itly ***s *u*r*s ***inst '__pro