Miggo Logo
Miggo Vulnerability Database
CVE-2023-26105

CVE-2023-26105:
mde utilities contains Prototype Pollution

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26105
GHSA ID
GHSA-wxfj-84xf-7gxv
EPSS Score
0.19693%
CWE
CWE-1321
Published
2/28/2023
Updated
3/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
utilitiesnpm<= 1.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. Multiple sources (GitHub Advisory, Snyk, NVD) explicitly identify _mix as the vulnerable function.
  2. The GitHub issue #29 demonstrates exploitation via i18n.loadLocale -> mixin -> _mix call chain.
  3. The _mix function's property assignment pattern (targ[p] = src[p]) matches known prototype pollution anti-patterns.
  4. The lack of prototype validation in _mix's merge logic allows proto manipulation, as shown in the PoC.
  5. i18n.loadLocale is included as it's the documented exploitation path that surfaces the vulnerable _mix function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** utiliti*s *r* vuln*r**l* to Prototyp* Pollution vi* t** _mix *un*tion.

Reasoning

*. Multipl* sour**s (*it*u* **visory, Snyk, NV*) *xpli*itly i**nti*y _mix *s t** vuln*r**l* *un*tion. *. T** *it*u* issu* #** **monstr*t*s *xploit*tion vi* i**n.lo**Lo**l* -> mixin -> _mix **ll ***in. *. T** _mix *un*tion's prop*rty *ssi*nm*nt p*tt*r