High severityNVD Advisory· Published Jun 7, 2018· Updated Sep 17, 2024

CVE-2018-3719

Description

mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in mixin-deep < 1.3.1 allows attackers to modify Object prototype via __proto__, affecting all objects.

## Vulnerability mixin-deep before version 1.3.1 (npm) contains a prototype pollution vulnerability (MAID). The mixin-deep function does not block __proto__ properties, allowing a malicious user to modify the prototype of Object via __proto__, which causes addition or modification of an existing property that will exist on all objects [1] [2].

Exploitation

An attacker can supply a crafted object containing a __proto__ property with arbitrary payload properties to any API that uses mixin-deep to merge objects. No authentication or special network position is required if the application merges attacker-controlled data. The merge function will walk the nested keys and assign the value to Object.prototype, making the property available on all JavaScript objects in the same process [3].

Impact

Successful exploitation results in prototype pollution. An attacker can add or modify properties on all objects, which can lead to denial of service (by overriding critical properties), or in some contexts, privilege escalation or arbitrary code execution if the polluted property influences security checks or evaluation of untrusted data [1] [3]. The vulnerability has a CVSS v3.1 base score of 7.5 (High) [3].

Mitigation

The fix was released in version 1.3.1, which excludes __proto__ properties from the merge [2]. Users should update to 1.3.1 or later. No workaround is provided for earlier versions; updating is the only mitigation [3].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mixin-deepnpm	< 1.3.1	1.3.1

Affected products

ghsa-coords
pkg:npm/mixin-deep
Range: < 1.3.1
HackerOne/mixin-deep node modulev5
Range: Versions before 1.3.1

Patches

578b0bc5e74e

exclude __proto__

https://github.com/jonschlinkert/mixin-deepdoowbFeb 7, 2018via ghsa

commit

1 file changed · +4 −0

index.js+4 −0 modified

@@ -23,6 +23,10 @@ function mixinDeep(target, objects) {
  */
 
 function copy(val, key) {
+  if (key === '__proto__') {
+    return;
+  }
+
   var obj = this[key];
   if (isObject(val) && isObject(obj)) {
     mixinDeep(obj, val);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3mpr-hq3p-49h9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-3719ghsaADVISORY
github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9cghsax_refsource_MISCWEB
hackerone.com/reports/311236ghsax_refsource_MISCWEB
www.npmjs.com/advisories/578ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000