Description
All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.1.0
References
Related Issues
- CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
- The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- Tags:
- npm
- mockjs
Anything's wrong? Let us know Last updated on December 17, 2023