GMS-2018-14: Denial of Service and remote code execution.

February 15, 2018

Utilities function in mixin-deep can be tricked into modify the prototype of “Object” when the attacker control part of the structure passed to these function. This can let an attacker add or modify existing property that will exist on all object, leading to denial of service or remote code execution.

References

github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c
hackerone.com/reports/311236

Detect and mitigate GMS-2018-14 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →