CVE-2021-28860 – This vulnerability in the Node.js mixme library... (How to Fix)

Q: What is the severity of CVE-2021-28860?

CVE-2021-28860 has a CVSS score of 9.1 (CRITICAL). This vulnerability in the Node.js mixme library allows attackers to perform prototype pollution attacks through the mutate() and merge() functions. By manipulating '__proto__' properties, attackers can add or alter object properties that affect all objects in the program, potentially causing denial of service. This affects any application using vulnerable versions of the mixme library.

📋 TL;DR

This vulnerability in the Node.js mixme library allows attackers to perform prototype pollution attacks through the mutate() and merge() functions. By manipulating '__proto__' properties, attackers can add or alter object properties that affect all objects in the program, potentially causing denial of service. This affects any application using vulnerable versions of the mixme library.

💻 Affected Systems

Products:

Node.js applications using mixme library

Versions: All versions prior to 0.5.1

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using mixme's mutate() or merge() functions with untrusted input is vulnerable. The vulnerability is in the library itself, not dependent on specific configurations.

📦 What is this software?

Mixme by Adaltas

View all CVEs affecting Mixme →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application denial of service through prototype pollution leading to crashes, memory exhaustion, or unpredictable behavior affecting all objects in the program.

🟠

Likely Case

Application instability, crashes, or degraded performance due to polluted object prototypes affecting multiple parts of the system.

🟢

If Mitigated

Limited impact if input validation prevents malicious payloads from reaching vulnerable functions, though risk remains if untrusted data is processed.

🌐 Internet-Facing: HIGH - Web applications processing user input through mixme functions are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal applications may still be vulnerable if processing untrusted data, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers can send specially crafted objects with '__proto__' properties to vulnerable endpoints. Public proof-of-concept exists in GitHub advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.1 and later

Vendor Advisory: https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4

Restart Required: Yes

Instructions:

1. Update mixme dependency to version 0.5.1 or later in package.json. 2. Run 'npm update mixme' or 'yarn upgrade mixme'. 3. Restart the Node.js application. 4. Test application functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject objects containing '__proto__' or similar prototype pollution vectors before passing to mixme functions.

Object freezing

all

Use Object.freeze() on critical objects or Object.prototype to prevent prototype pollution, though this may break legitimate functionality.

🧯 If You Can't Patch

Implement strict input validation to reject any objects containing '__proto__', 'constructor', or 'prototype' properties
Use alternative libraries or custom implementations instead of mixme's mutate() and merge() functions for processing untrusted data

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for mixme version. If version is below 0.5.1, the application is vulnerable.

Check Version:

npm list mixme | grep mixme OR node -e "console.log(require('mixme/package.json').version)"

Verify Fix Applied:

After updating, verify mixme version is 0.5.1 or higher using 'npm list mixme' or check package.json. Test with known safe inputs to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual application crashes, memory exhaustion errors, unexpected property assignments in objects
Requests containing '__proto__' in payloads

Network Indicators:

HTTP requests with JSON payloads containing '__proto__' properties
Unusual patterns of requests to endpoints using mixme functions

SIEM Query:

source="application_logs" AND ("__proto__" OR "prototype pollution" OR "mixme")

📊 Metadata

CVE ID: CVE-2021-28860

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-1321

Published: May 3, 2021

Last Updated: November 21, 2024

🔗 References

http://nodejs.com Third Party Advisory,URL Repurposed
https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028 Patch,Third Party Advisory
https://github.com/adaltas/node-mixme/issues/1 Issue Tracking,Third Party Advisory
https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4 Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210618-0005/ Third Party Advisory
https://www.npmjs.com/~david Third Party Advisory
http://nodejs.com Third Party Advisory,URL Repurposed
https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028 Patch,Third Party Advisory
https://github.com/adaltas/node-mixme/issues/1 Issue Tracking,Third Party Advisory
https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4 Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210618-0005/ Third Party Advisory
https://www.npmjs.com/~david Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28860, you might also want to check these: