Skip to content

fix: nodejs-mixin-deep: prototype pollution in function mixin-deep#4

Merged
galanko merged 1 commit into
masterfrom
opensec/fix/mixin-deep-cve-2019-10746
May 15, 2026
Merged

fix: nodejs-mixin-deep: prototype pollution in function mixin-deep#4
galanko merged 1 commit into
masterfrom
opensec/fix/mixin-deep-cve-2019-10746

Conversation

@galanko
Copy link
Copy Markdown

@galanko galanko commented May 14, 2026

Summary

Automated remediation for trivy finding: nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746)

Vulnerability Details

CVE: CVE-2019-10746
CVSS Score: 9.8 (Critical)
Affected Versions: mixin-deep < 1.3.2 and 2.0.0
Type: Prototype Pollution

The mixin-deep package was vulnerable to prototype pollution attacks in versions before 1.3.2. An attacker could craft a malicious input object with a constructor property to modify Object.prototype, potentially compromising application security and allowing arbitrary property injection.

Changes

  • Added mixin-deep@^1.3.2 to package.json dependencies
  • Updated package-lock.json to lock mixin-deep to version 1.3.2
  • This is a patch-level security update with no breaking API changes

Impact

  • Security: Eliminates the prototype pollution attack vector (CVE-2019-10746)
  • Compatibility: No breaking changes; all existing code continues to function identically
  • Testing: Existing test suite should pass without modification

Verification

To verify the fix:
npm install
npm audit --production

Confirm that mixin-deep is at version 1.3.2 or higher:
npm list mixin-deep

Generated by OpenSec remediation agent

@galanko
fix: nodejs-mixin-deep: prototype pollution in function mixin-deep
83e870a 
Security fix for CVE-2019-10746: Update mixin-deep from 1.3.1 to 1.3.2

The mixin-deep package was vulnerable to prototype pollution attacks
that could allow attackers to modify Object.prototype. This patch update
resolves the vulnerability with no breaking changes.

- Add mixin-deep@^1.3.2 to dependencies
- Update package-lock.json to lock mixin-deep to 1.3.2
@galanko galanko marked this pull request as ready for review May 15, 2026 12:36
@galanko galanko merged commit da8e69d into master May 15, 2026
@galanko galanko deleted the opensec/fix/mixin-deep-cve-2019-10746 branch May 15, 2026 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@galanko