CVE-2021-28860: Prototype Pollution

May 3, 2021 (updated February 14, 2024)

An attacker can add or alter properties of an object via __proto__ through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

References

github.com/adaltas/node-mixme/issues/1
nvd.nist.gov/vuln/detail/CVE-2021-28860

Detect and mitigate CVE-2021-28860 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →