mockjs vulnerable to Prototype Pollution via the Util.extend function

Description

All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.1.0

References

• GHSA-mh8j-9jvh-gjf6
• security.snyk.io
• CVE-2023-26158
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
• underscore-keypath vulnerable to Prototype Pollution - CVE-2023-26139
• steal vulnerable to Prototype Pollution via requestedVersion variable - CVE-2022-37257
• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-amd - CVE-2026-2950

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

mockjs