CVE-2019-10806: Improperly Controlled Modification of Dynamically-Determined Object Attributes

May 7, 2021 (updated July 28, 2021)

vega-util allows manipulation of object prototype. The ‘vega.mergeConfig’ method within vega-util could be tricked into adding or modifying properties of the Object.prototype.

References

github.com/advisories/GHSA-6hwh-rqwf-cxxr
github.com/vega/vega/commit/8f33a0b5170d7de4f12fc248ec0901234342367b
nvd.nist.gov/vuln/detail/CVE-2019-10806
snyk.io/vuln/SNYK-JS-VEGAUTIL-559223

Detect and mitigate CVE-2019-10806 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →