Description
All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.1.0
References
Related Issues
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - CVE-2023-26920
- billboard.js allows prototype pollution via the function generate - CVE-2025-49223
- underscore-keypath vulnerable to Prototype Pollution - CVE-2023-26139
- Tags:
- npm
- mockjs
Anything's wrong? Let us know Last updated on December 17, 2023