Wiz
Vulnerability DatabaseCVE-2019-10806

CVE-2019-10806
JavaScript vulnerability analysis and mitigation

Overview

vega-util prior to version 1.13.1 contains a Prototype Pollution vulnerability identified as CVE-2019-10806. The vulnerability exists in the 'vega.mergeConfig' method within vega-util, which could be tricked into adding or modifying properties of the Object.prototype (NVD Results, Snyk Report).

Technical details

The vulnerability is rated with a CVSS v3.1 Base Score of 4.3 (Medium) and a CVSS v2.0 Base Score of 4.0 (Medium). The issue stems from the mergeConfig method not properly validating input, allowing manipulation of the object prototype. The vulnerability was discovered by Sam Sanoop of the Snyk Security Team (Snyk Report).

Impact

When exploited, this vulnerability could allow attackers to modify properties of Object.prototype, potentially leading to Denial of Service conditions and affecting the integrity of the application. The impact is considered medium severity as it can cause performance reduction and interruptions in resource availability (Snyk Report).

Mitigation and workarounds

The recommended mitigation is to upgrade vega-util to version 1.13.1 or higher. The fix involves implementing proper input validation by adding checks for illegal keys, particularly 'proto', in the mergeConfig function (GitHub Commit).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-23744CRITICAL9.8
  • JavaScriptJavaScript
  • @mcpjam/inspector
NoYesJan 16, 2026
CVE-2026-23735HIGH8.7
  • JavaScriptJavaScript
  • graphql-modules
NoYesJan 16, 2026
GHSA-gw32-9rmw-qwwwHIGH8.4
  • JavaScriptJavaScript
  • svelte
NoYesJan 16, 2026
CVE-2026-23745HIGH8.2
  • JavaScriptJavaScript
  • argo-workflows-fips-3.6
NoYesJan 16, 2026
GHSA-38cw-85xc-xr9xMEDIUM6.8
  • JavaScriptJavaScript
  • @veramo/data-store
NoYesJan 16, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo