Description
All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.1.0
References
Related Issues
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- jsonic was discovered to contain a prototype pollution via the function empty. - CVE-2024-38993
- steal vulnerable to Prototype Pollution via optionName variable - CVE-2022-37264
- steal vulnerable to Prototype Pollution via key variable in babel.js - CVE-2022-37266
- Tags:
- npm
- mockjs
Anything's wrong? Let us know Last updated on December 17, 2023