{"id":"CVE-2019-20149","details":"ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.","aliases":["GHSA-6c8f-qphg-qjgp"],"modified":"2026-04-10T04:13:15.145253Z","published":"2019-12-30T19:15:11.910Z","references":[{"type":"REPORT","url":"https://github.com/jonschlinkert/kind-of/issues/30"},{"type":"FIX","url":"https://github.com/jonschlinkert/kind-of/pull/31"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jonschlinkert/kind-of","events":[{"introduced":"0"},{"last_affected":"0b4ababf3a8505f60055487415a2dfe678a10b53"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.0.2"}]}}],"versions":["0.1.0","0.1.2","0.3.0","1.0.0","1.1.0","2.0.0","2.0.1","3.0.0","3.0.3","3.0.4","3.1.0","3.2.0","3.2.1","3.2.2","4.0.0","5.0.0","5.0.1","5.0.2","6.0.1","6.0.2","v0.1.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20149.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}