N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-c3px-v9c7-m734

EPSS Score

CWE

CWE-1321

Published

9/3/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-c3px-v9c7-m734

GHSA-c3px-v9c7-m734: Prototype Pollution in mithril

Affected versions of mithrilare vulnerable to prototype pollution. The function parseQueryString may allow a malicious user to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. A payload such as __proto__%5BtoString%5D=123 in the query string would change the toString() function to 123.

Recommendation

If you are using mithril 2.x, upgrade to version 2.0.2 or later. If you are using mithril 1.x, upgrade to version 1.1.7 or later.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-c3px-v9c7-m734

EPSS Score

CWE

CWE-1321

Published

9/3/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mithril	npm	< 1.1.7	1.1.7
mithril	npm	>= 2.0.0, < 2.0.2	2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The GitHub advisory directly identifies parseQueryString as the vulnerable function. Runtime exploitation would involve this function processing attacker-controlled query parameters. A profiler would show this function actively parsing the malicious payload (e.g., during route handling or AJAX parameter parsing). No other functions are explicitly mentioned in the advisory as being involved in the vulnerability. The lack of prototype pollution checks in the parameter assignment logic is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `mit*ril`*r* vuln*r**l* to prototyp* pollution. T** *un*tion `p*rs*Qu*ryStrin*` m*y *llow * m*li*ious us*r to mo*i*y t** prototyp* o* `O*j**t`, **usin* t** ***ition or mo*i*i**tion o* *n *xistin* prop*rty t**t will *xist on *ll o

Reasoning

T** *it*u* **visory *ir**tly i**nti*i*s `p*rs*Qu*ryStrin*` *s t** vuln*r**l* *un*tion. Runtim* *xploit*tion woul* involv* t*is *un*tion pro**ssin* *tt**k*r-*ontroll** qu*ry p*r*m*t*rs. * pro*il*r woul* s*ow t*is *un*tion **tiv*ly p*rsin* t** m*li*iou

N/A

Basic Information

Concerned about an active attack path?

GHSA-c3px-v9c7-m734: Prototype Pollution in mithril

Recommendation

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI