Miggo Logo
Miggo Vulnerability Database
CVE-2020-35149

CVE-2020-35149: Code Injection in mquery

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-35149
GHSA ID
GHSA-45q2-34rf-mr94
EPSS Score
0.4913%
CWE
CWE-94
Published
12/18/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mquerynpm< 3.2.33.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows security fixes in both cloneObject and merge functions in lib/utils.js, adding checks for special properties. The vulnerability description explicitly mentions unsafe merge/clone operations, and the added test cases verify protection against proto pollution in these specific functions. The direct modification of these functions in the security patch confirms their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

li*/utils.js in mqu*ry ***or* *.*.* *llows * pollution *tt**k ****us* * sp**i*l prop*rty (*.*., __proto__) **n ** *opi** *urin* * m*r** or *lon* op*r*tion.

Reasoning

T** *ommit *i** s*ows s**urity *ix*s in *ot* *lon*O*j**t *n* m*r** *un*tions in li*/utils.js, ***in* ****ks *or sp**i*l prop*rti*s. T** vuln*r**ility **s*ription *xpli*itly m*ntions uns*** m*r**/*lon* op*r*tions, *n* t** ***** t*st **s*s v*ri*y prot*