{"id":"CVE-2021-28860","details":"In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).","aliases":["GHSA-r5cq-9537-9rpf"],"modified":"2026-04-02T06:48:50.779472Z","published":"2021-05-03T12:15:07.467Z","related":["GHSA-79jw-6wg7-r9g4"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210618-0005/"},{"type":"ADVISORY","url":"https://www.npmjs.com/~david"},{"type":"ADVISORY","url":"http://nodejs.com"},{"type":"REPORT","url":"https://github.com/adaltas/node-mixme/issues/1"},{"type":"FIX","url":"https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4"},{"type":"FIX","url":"https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/adaltas/node-mixme","events":[{"introduced":"0"},{"fixed":"0ae91325065dd8693eb457492c210ff9a3fa6f7b"},{"fixed":"cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.5.1"}]}}],"versions":["v0.0.1","v0.1.0","v0.2.0","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.5","v0.4.0","v0.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28860.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}