CVE-2020-24939: 
JavaScript vulnerability analysis and mitigation

Prototype pollution vulnerability was discovered in Stampit supermixer version 1.0.3, allowing attackers to modify the prototype of a base object. The vulnerability was assigned CVE-2020-24939 and has a CVSS v3.1 base score of 7.5 (HIGH) (NVD).

The vulnerability exists in the merge function of supermixer, which allows an attacker to inject properties into existing JavaScript language construct prototypes. When merging objects, the function fails to properly validate user input that could modify the object prototype. The vulnerability has been classified as CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (CWE).

The impact of this vulnerability can vary depending on implementation, potentially leading to Denial of Service (DoS), access to restricted data, or in some cases Remote Code Execution (RCE). The vulnerability allows attackers to inject arbitrary properties into Object.prototype, which affects all objects inheriting from the modified prototype (GitHub Issue).

The vulnerability has been fixed in version 1.0.5 of supermixer. Users are advised to upgrade to this version or later. The fix includes changes to prevent prototype pollution by properly validating object properties during merge operations (Release Notes).