Description
All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.1.0
References
Related Issues
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950
- Prototype pollution in ag-grid-community via the _.mergeDeep function - CVE-2024-38996
- Prototype pollution in ag-grid-community via the _.mergeDeep function - ag-grid-enterprise - CVE-2024-38996
You might also like:
- Tags:
- npm
- mockjs
Anything's wrong? Let us know Last updated on December 17, 2023


