CVE-2020-24939
Description
Prototype pollution in Stampit supermixer 1.0.3 allows attackers to inject properties into Object.prototype via crafted JSON.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in Stampit supermixer 1.0.3 allows attackers to inject properties into Object.prototype via crafted JSON.
Vulnerability
Stampit supermixer version 1.0.3 is vulnerable to prototype pollution through its merge function. The function does not filter out __proto__ or constructor keys when merging objects, allowing an attacker to inject properties into the base Object.prototype [1][4]. The vulnerability exists in the mixer function exported by the package [3].
Exploitation
An attacker can exploit this by providing a crafted JSON object containing __proto__ or constructor keys to the merge function. No authentication or special privileges are required if the application merges user-supplied data. For example, calling mixer.merge({}, JSON.parse('{"__proto__":{"poc":"evil"}}')) pollutes the prototype, making test.poc return "evil" for any object [4].
Impact
Successful prototype pollution can lead to denial of service, access to restricted data, or remote code execution, depending on how the application uses the polluted properties [1][4]. The attacker can modify the behavior of all objects in the runtime, potentially bypassing security checks or altering application logic.
Mitigation
Upgrade to supermixer version 1.0.5 or later, which includes the fix from commit 94dcc6f [2][3]. The fix adds checks to skip keys __proto__ and constructor during merge [3]. No workaround is available for version 1.0.3; users must update to a patched version.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
supermixernpm | < 1.0.5 | 1.0.5 |
Affected products
2- Stampit/supermixerdescription
Patches
194dcc6fc45e0Avoiding prototype pollution
2 files changed · +13 −0
src/mixer.js+3 −0 modified@@ -47,6 +47,9 @@ export default function mixer(opts = {}) { } function iteratee(sourceValue, key) { + if (key === 'constructor' && typeof sourceValue === 'function') return; + if (key == '__proto__') return; + const targetValue = target[key]; if (opts.filter && !opts.filter(sourceValue, targetValue, key)) { return;
test/merge.js+10 −0 modified@@ -61,3 +61,13 @@ test('merge', (t) => { t.ok(result.func2, 'Should mix functions.'); t.end(); }); + +test('merging should avoid prototype pollutions', (t) => { + let result = merge({}, JSON.parse('{"__proto__":{"poc":"evil"}}')); + t.notEqual(result.poc, 'evil', 'Should not merge __proto__.'); + + result = merge({}, { constructor: noop }); + t.notEqual(result.constructor, noop, 'Should not merge constructor functions') + + t.end(); +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-7prf-vw4p-qr59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-24939ghsaADVISORY
- cwe.mitre.org/data/definitions/1321.htmlmitrex_refsource_MISC
- github.com/stampit-org/supermixer/commit/94dcc6fc45e0fed96187cb52aaffadf76dbbc0a3ghsaWEB
- github.com/stampit-org/supermixer/compare/v1.0.4...v1.0.5ghsax_refsource_CONFIRMWEB
- github.com/stampit-org/supermixer/issues/9ghsax_refsource_CONFIRMWEB
- hackerone.com/reports/959987ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.