CVE-2021-29491 — Use of Potentially Dangerous Function in mixme

Description

### Impact In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS). ### Patches The problem is corrected starting with version 0.5.1. ### References Issue: https://github.com/adaltas/node-mixme/issues/1 Commit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028

How to fix CVE-2021-29491

To remediate CVE-2021-29491, upgrade the affected package to a fixed version below.

—upgrade to 0.5.1 or later

Is CVE-2021-29491 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2021-29491.

Affected packages (1)

from 0, < 0.5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29491
WEBgithub.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
WEBsecurity.netapp.com/advisory/ntap-20210622-0002