Headline
CVE-2021-28860: Urgent matter · Issue #1 · adaltas/node-mixme
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
All the versions shall be concerned but considering this is a `0.x` version, I don’t think it is necessary to go through each version to publish a new patch release, it would take time. I found how to report malware on NPM but not how to report a security advisory, is there a form how shall I contact NPM on their ***@***.*** address ? Thank you for the followup, I appreciate. David
…
On 26/04/2021 13:41, Dan Shallom wrote: Hi David, That’s right. But in this case only one version should be blocked is v0.5.0 - can you confirm? Eventually an advisory should be published for mixme, in https://www.npmjs.com/advisories Dan On Mon, 26 Apr 2021 at 12:49 Worms David ***@***.***> wrote: > I didn’t. I felt like releasing a new version is sufficient. What is the > process you are suggeting, to block the access of previously published > versions ? > > David > > On 26/04/2021 10:13, Dan Shallom wrote: > > Thanks David, > > Did you contact NPM as well? > > > > Have a great week! > > > > On Mon, 26 Apr 2021 at 0:40 Worms David ***@***.***> wrote: > > > > > Closed #1 <#1>. > > > > > > — > > > You are receiving this because you were mentioned. > > > Reply to this email directly, view it on GitHub > > > <#1 (comment)>, or > > > unsubscribe > > > > > < > https://github.com/notifications/unsubscribe-auth/ALW5XU2A5JGRMNE7X2SK4JTTKSD6DANCNFSM43MBYYMQ > > > > > . > > > > > > > — > > You are receiving this because you modified the open/close state. > > Reply to this email directly, view it on GitHub > > <#1 (comment)>, > > > or unsubscribe > > < > https://github.com/notifications/unsubscribe-auth/AAALOMCNTDP2YQCFEB24MJTTKUOC3ANCNFSM43MBYYMQ > >. > > > > – > David Worms, SARL Adaltas > ***@***.***, +33 6 76 88 72 13 > 6 rue Jules Simon, 92100 Boulogne-Billancourt > https://www.google.com/maps/search/6+rue+Jules+Simon,+92100+Boulogne-Billancourt?entry=gmail&source=g\ > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#1 (comment)>, > or unsubscribe > https://github.com/notifications/unsubscribe-auth/ALW5XU6UP536BCJG7EVNKPDTKUZMBANCNFSM43MBYYMQ\ > . > — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#1 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALOMGG3STXGONBFTKUTALTKVGNLANCNFSM43MBYYMQ\.
– David Worms, SARL Adaltas ***@***.***, +33 6 76 88 72 13 6 rue Jules Simon, 92100 Boulogne-Billancourt