CVE-2019-10746
Description
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
mixin-deep before 1.3.2 and 2.0.0 is vulnerable to Prototype Pollution, allowing attackers to modify Object.prototype via a constructor payload.
Vulnerability
Overview
mixin-deep is a JavaScript utility for deeply merging objects. Versions prior to 1.3.2 and version 2.0.0 are vulnerable to Prototype Pollution [1][2]. The mixin-deep function does not properly restrict the merging of properties with keys like __proto__ or constructor.prototype, allowing an attacker to inject properties into the global Object prototype [3].
Exploitation
An attacker can craft a malicious object containing a __proto__ or constructor.prototype key. When this object is passed to mixin-deep, the library will merge the payload into the base object's prototype chain, polluting Object.prototype [2]. No authentication is required if the application processes user-supplied objects through this function.
Impact
Successful exploitation enables the attacker to add or modify properties on all objects in the application. This can lead to denial of service, property injection, or potentially remote code execution depending on how the polluted properties are used by the application [1][2].
Mitigation
The vulnerability is fixed in mixin-deep version 1.3.2 (for the 1.x branch) and version 2.0.1 (for the 2.x branch) [3]. Users should update immediately. Fedora has also released package updates [4]. No workaround is available other than upgrading.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mixin-deepnpm | < 1.3.2 | 1.3.2 |
mixin-deepnpm | >= 2.0.0, < 2.0.1 | 2.0.1 |
Affected products
4- mixin-deep/mixin-deepdescription
- ghsa-coords3 versions
< 1.3.2+ 2 more
- (no CPE)range: < 1.3.2
- (no CPE)range: < 2.0.3-1.module_el8.4.0+2521+c668cc9f
- (no CPE)range: < 17-3.module_el8.4.0+2224+b07ac28e
Patches
290ee1fab375fensure keys are valid when mixing in values
1 file changed · +12 −1
index.js+12 −1 modified@@ -23,7 +23,7 @@ function mixinDeep(target, objects) { */ function copy(val, key) { - if (key === '__proto__') { + if (!isValidKey(key)) { return; } @@ -46,6 +46,17 @@ function isObject(val) { return isExtendable(val) && !Array.isArray(val); } +/** + * Returns true if `key` is a valid key to use when extending objects. + * + * @param {String} `key` + * @return {Boolean} + */ + +function isValidKey(key) { + return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; +}; + /** * Expose `mixinDeep` */
8f464c8ce976disallow constructor and prototype keys
5 files changed · +34 −20
index.js+11 −7 modified@@ -1,17 +1,25 @@ 'use strict'; -function mixinDeep(target, ...rest) { +const isObject = val => { + return typeof val === 'function' || (typeof val === 'object' && val !== null && !Array.isArray(val)); +}; + +const isValidKey = key => { + return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; +}; + +const mixinDeep = (target, ...rest) => { for (let obj of rest) { if (isObject(obj)) { for (let key in obj) { - if (key !== '__proto__') { + if (isValidKey(key)) { mixin(target, obj[key], key); } } } } return target; -} +}; function mixin(target, val, key) { let obj = target[key]; @@ -22,10 +30,6 @@ function mixin(target, val, key) { } } -function isObject(val) { - return typeof val === 'function' || (typeof val === 'object' && val !== null && !Array.isArray(val)); -} - /** * Expose mixinDeep * @type {Function}
package.json+4 −3 modified@@ -14,16 +14,17 @@ ], "main": "index.js", "engines": { - "node": ">=4" + "node": ">=6" }, "scripts": { "test": "mocha" }, "devDependencies": { - "gulp-format-md": "^1.0.0", - "mocha": "^5.2.0" + "gulp-format-md": "^2.0.0", + "mocha": "^6.1.4" }, "keywords": [ + "assign", "deep", "extend", "key",
README.md+12 −8 modified@@ -1,4 +1,4 @@ -# mixin-deep [](https://www.npmjs.com/package/mixin-deep) [](https://npmjs.org/package/mixin-deep) [](https://npmjs.org/package/mixin-deep) [](https://travis-ci.org/jonschlinkert/mixin-deep) +# mixin-deep [](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=W8YFZ425KND68) [](https://www.npmjs.com/package/mixin-deep) [](https://npmjs.org/package/mixin-deep) [](https://npmjs.org/package/mixin-deep) [](https://travis-ci.org/jonschlinkert/mixin-deep) > Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone. No dependencies. @@ -12,6 +12,10 @@ Install with [npm](https://www.npmjs.com/): $ npm install --save mixin-deep ``` +## Heads up! + +[Please update](https://gist.github.com/jonschlinkert/9a62534c4f8bc76aee6058caa3f05fd6) to version 2.0.1 or later, a critical bug was fixed in that version. + ## Usage ```js @@ -65,24 +69,24 @@ You might also be interested in these projects: ### Contributors -| **Commits** | **Contributor** | -| --- | --- | -| 26 | [jonschlinkert](https://github.com/jonschlinkert) | -| 2 | [doowb](https://github.com/doowb) | +| **Commits** | **Contributor** | +| --- | --- | +| 28 | [jonschlinkert](https://github.com/jonschlinkert) | +| 2 | [doowb](https://github.com/doowb) | ### Author **Jon Schlinkert** -* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert) * [GitHub Profile](https://github.com/jonschlinkert) * [Twitter Profile](https://twitter.com/jonschlinkert) +* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert) ### License -Copyright © 2018, [Jon Schlinkert](https://github.com/jonschlinkert). +Copyright © 2019, [Jon Schlinkert](https://github.com/jonschlinkert). Released under the [MIT License](LICENSE). *** -_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.6.0, on July 11, 2018._ \ No newline at end of file +_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.8.0, on June 19, 2019._ \ No newline at end of file
.travis.yml+0 −2 modified@@ -10,5 +10,3 @@ node_js: - '8' - '7' - '6' - - '5' - - '4'
.verb.md+7 −0 modified@@ -1,3 +1,7 @@ +## Heads up! + +[Please update][update] to version 2.0.1 or later, a critical bug was fixed in that version. + ## Usage ```js @@ -6,3 +10,6 @@ const res = mixin({ a: { foo: true } }, { a: { bar: true } }, { a: { baz: true } console.log(res); //=> { a: { foo: true, bar: true, baz: true } } ``` + + +[update]: https://gist.github.com/jonschlinkert/9a62534c4f8bc76aee6058caa3f05fd6 \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-fhjf-83wg-r2j9ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-10746ghsaADVISORY
- github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9ghsaWEB
- github.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJTghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKCghsaWEB
- snyk.io/vuln/SNYK-JS-MIXINDEEP-450212ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/1013ghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.