Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

CVE-2021-3757 (GCVE-0-2021-3757)

Vulnerability from cvelistv5 – Published: 2021-09-02 12:06 – Updated: 2024-08-03 17:09
VLAI
Title
Prototype Pollution in immerjs/immer
Summary
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
Vendor Product Version
immerjs immerjs/immer Affected: unspecified , ≤ 9.0.5 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:09.144Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "immerjs/immer",
          "vendor": "immerjs",
          "versions": [
            {
              "lessThanOrEqual": "9.0.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-02T12:06:26.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa"
        }
      ],
      "source": {
        "advisory": "23d38099-71cd-42ed-a77a-71e68094adfa",
        "discovery": "EXTERNAL"
      },
      "title": "Prototype Pollution in immerjs/immer",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2021-3757",
          "STATE": "PUBLIC",
          "TITLE": "Prototype Pollution in immerjs/immer"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "immerjs/immer",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "9.0.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "immerjs"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237",
              "refsource": "MISC",
              "url": "https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237"
            },
            {
              "name": "https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa"
            }
          ]
        },
        "source": {
          "advisory": "23d38099-71cd-42ed-a77a-71e68094adfa",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2021-3757",
    "datePublished": "2021-09-02T12:06:26.000Z",
    "dateReserved": "2021-08-31T00:00:00.000Z",
    "dateUpdated": "2024-08-03T17:09:09.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3666 (GCVE-0-2021-3666)

Vulnerability from cvelistv5 – Published: 2021-09-13 17:56 – Updated: 2024-08-03 17:01
VLAI
Title
Prototype Pollution in fiznool/body-parser-xml
Summary
body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
Vendor Product Version
fiznool fiznool/body-parser-xml Affected: unspecified , < 2.0.3 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:08.323Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/1-other-fiznool/body-parser-xml"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fiznool/body-parser-xml",
          "vendor": "fiznool",
          "versions": [
            {
              "lessThan": "2.0.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-13T17:56:50.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/1-other-fiznool/body-parser-xml"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63"
        }
      ],
      "source": {
        "advisory": "1-other-fiznool/body-parser-xml",
        "discovery": "EXTERNAL"
      },
      "title": "Prototype Pollution in fiznool/body-parser-xml",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2021-3666",
          "STATE": "PUBLIC",
          "TITLE": "Prototype Pollution in fiznool/body-parser-xml"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "fiznool/body-parser-xml",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.0.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "fiznool"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/1-other-fiznool/body-parser-xml",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/1-other-fiznool/body-parser-xml"
            },
            {
              "name": "https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63",
              "refsource": "MISC",
              "url": "https://github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63"
            }
          ]
        },
        "source": {
          "advisory": "1-other-fiznool/body-parser-xml",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2021-3666",
    "datePublished": "2021-09-13T17:56:50.000Z",
    "dateReserved": "2021-07-26T00:00:00.000Z",
    "dateUpdated": "2024-08-03T17:01:08.323Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3645 (GCVE-0-2021-3645)

Vulnerability from cvelistv5 – Published: 2021-09-10 11:04 – Updated: 2024-08-03 17:01
VLAI
Title
Prototype Pollution in viking04/merge
Summary
merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
Vendor Product Version
viking04 viking04/merge Affected: unspecified , < 1.0.2 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:07.653Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/ef387a9e-ca3c-4c21-80e3-d34a6a896262"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/viking04/merge/commit/baba40332080b38b33840d2614df6d4142dedaf6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "viking04/merge",
          "vendor": "viking04",
          "versions": [
            {
              "lessThan": "1.0.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-10T11:04:25.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/ef387a9e-ca3c-4c21-80e3-d34a6a896262"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/viking04/merge/commit/baba40332080b38b33840d2614df6d4142dedaf6"
        }
      ],
      "source": {
        "advisory": "ef387a9e-ca3c-4c21-80e3-d34a6a896262",
        "discovery": "EXTERNAL"
      },
      "title": "Prototype Pollution in viking04/merge",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2021-3645",
          "STATE": "PUBLIC",
          "TITLE": "Prototype Pollution in viking04/merge"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "viking04/merge",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.0.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "viking04"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/ef387a9e-ca3c-4c21-80e3-d34a6a896262",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/ef387a9e-ca3c-4c21-80e3-d34a6a896262"
            },
            {
              "name": "https://github.com/viking04/merge/commit/baba40332080b38b33840d2614df6d4142dedaf6",
              "refsource": "MISC",
              "url": "https://github.com/viking04/merge/commit/baba40332080b38b33840d2614df6d4142dedaf6"
            }
          ]
        },
        "source": {
          "advisory": "ef387a9e-ca3c-4c21-80e3-d34a6a896262",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2021-3645",
    "datePublished": "2021-09-10T11:04:25.000Z",
    "dateReserved": "2021-07-14T00:00:00.000Z",
    "dateUpdated": "2024-08-03T17:01:07.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-36632 (GCVE-0-2020-36632)

Vulnerability from cvelistv5 – Published: 2022-12-25 19:37 – Updated: 2024-08-04 17:30
VLAI
Title
hughsk flat index.js unflatten prototype pollution
Summary
A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
CWE
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
Impacted products
Vendor Product Version
hughsk flat Affected: 5.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:30:08.479Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.216777"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.216777"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/hughsk/flat/issues/105"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/hughsk/flat/pull/106"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/hughsk/flat/releases/tag/5.0.1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flat",
          "vendor": "hughsk",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability."
        },
        {
          "lang": "de",
          "value": "Es wurde eine kritische Schwachstelle in hughsk flat bis 5.0.0 gefunden. Es geht dabei um die Funktion unflatten der Datei index.js. Dank der Manipulation mit unbekannten Daten kann eine improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027)-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Ein Aktualisieren auf die Version 5.0.1 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 20ef0ef55dfa028caddaedbcb33efbdb04d18e13 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-25T19:37:16.959Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.216777"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.216777"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/hughsk/flat/issues/105"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/hughsk/flat/pull/106"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/hughsk/flat/releases/tag/5.0.1"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2022-12-25T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2022-12-25T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2022-12-25T20:42:14.000Z",
          "value": "VulDB last update"
        }
      ],
      "title": "hughsk flat index.js unflatten prototype pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2020-36632",
    "datePublished": "2022-12-25T19:37:16.959Z",
    "dateReserved": "2022-12-25T19:36:04.381Z",
    "dateUpdated": "2024-08-04T17:30:08.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2011-10019 (GCVE-0-2011-10019)

Vulnerability from cvelistv5 – Published: 2025-08-13 20:53 – Updated: 2026-05-15 11:13
VLAI
Title
Spreecommerce < 0.60.2 Search Parameter RCE
Summary
Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute arbitrary shell commands on the server without authentication.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
  • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
Impacted products
Vendor Product Version
Spreecommerce Spreecommerce Affected: 0 , < 0.60.2 (semver)
Create a notification for this product.
Date Public
2011-10-07 00:00
Credits
joernchen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2011-10019",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-14T13:45:30.960902Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-14T14:52:06.504Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "search[send][]",
            "Kernel.fork",
            "eval"
          ],
          "product": "Spreecommerce",
          "vendor": "Spreecommerce",
          "versions": [
            {
              "lessThan": "0.60.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:spreecommerce:spree:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.60.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "joernchen"
        }
      ],
      "datePublic": "2011-10-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby\u2019s send method. This allows attackers to execute arbitrary shell commands on the server without authentication."
            }
          ],
          "value": "Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby\u2019s send method. This allows attackers to execute arbitrary shell commands on the server without authentication."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T11:13:42.139Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "exploit"
          ],
          "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/17941"
        },
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/orgs/spree"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Spreecommerce \u003c 0.60.2 Search Parameter RCE",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2011-10019",
    "datePublished": "2025-08-13T20:53:33.577Z",
    "dateReserved": "2025-08-13T18:01:12.138Z",
    "dateUpdated": "2026-05-15T11:13:42.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-22H7-7WWG-QMGG

Vulnerability from github – Published: 2020-09-04 17:56 – Updated: 2020-08-31 19:00
VLAI
Summary
Prototype Pollution in @hapi/hoek
Details

Versions of @hapi/hoek prior to 8.5.1 and 9.0.3 are vulnerable to Prototype Pollution. The clone function fails to prevent the modification of the Object prototype when passed specially-crafted input. Attackers may use this to change existing properties that exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
This issue does not affect hapi applications since the framework protects against such malicious inputs. Applications that use @hapi/hoek outside of the hapi ecosystem may be vulnerable.

Recommendation

Update to version 8.5.1, 9.0.3 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@hapi/hoek"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.3.2"
            },
            {
              "fixed": "8.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@hapi/hoek"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:00:24Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Versions of `@hapi/hoek` prior to 8.5.1 and 9.0.3 are vulnerable to Prototype Pollution. The `clone` function fails to prevent the modification of the Object prototype when passed specially-crafted input. Attackers may use this to change existing properties that exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.  \nThis issue __does not__ affect hapi applications since the framework protects against such malicious inputs. Applications that use `@hapi/hoek` outside of the hapi ecosystem may be vulnerable.\n\n\n## Recommendation\n\nUpdate to version 8.5.1, 9.0.3 or later.",
  "id": "GHSA-22h7-7wwg-qmgg",
  "modified": "2020-08-31T19:00:24Z",
  "published": "2020-09-04T17:56:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1468"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in @hapi/hoek"
}

GHSA-23WX-CGXQ-VPWX

Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2022-05-20 20:13
VLAI
Summary
Prototype Pollution in dset
Details

All versions of dset prior to 3.1.2 are vulnerable to Prototype Pollution via dset/merge mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or prototype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.webjars.npm:dset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-20T20:13:33Z",
    "nvd_published_at": "2022-05-01T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of `dset` prior to 3.1.2 are vulnerable to Prototype Pollution via `dset/merge` mode, as the `dset` function checks for prototype pollution by validating if the top-level path contains `__proto__`, `constructor` or `prototype`. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.",
  "id": "GHSA-23wx-cgxq-vpwx",
  "modified": "2022-05-20T20:13:33Z",
  "published": "2022-05-03T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25645"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lukeed/dset"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lukeed/dset/blob/master/src/merge.js%23L9"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2431974"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DSET-2330881"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in dset"
}

GHSA-2488-W585-72CH

Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-26 16:58
VLAI
Summary
counterpart vulnerable to prototype pollution
Details

A vulnerability exists in the counterpart library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying maliciously crafted keys containing prototype chain elements (e.g., proto ), leading to prototype pollution. This weakness enables adversaries to inject arbitrary properties into the JavaScript Object prototype through the first parameter of the translate method when combined with specific separator configurations, potentially resulting in denial-of-service conditions or remote code execution in vulnerable applications. The issue arises from the library's failure to properly validate or neutralize special characters in translation key inputs before processing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "counterpart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.18.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-26T16:58:56Z",
    "nvd_published_at": "2025-09-24T18:15:41Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists in the `counterpart` library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library\u0027s translation functionality by supplying maliciously crafted keys containing prototype chain elements (e.g., __proto__ ), leading to prototype pollution. This weakness enables adversaries to inject arbitrary properties into the JavaScript Object prototype through the first parameter of the translate method when combined with specific separator configurations, potentially resulting in denial-of-service conditions or remote code execution in vulnerable applications. The issue arises from the library\u0027s failure to properly validate or neutralize special characters in translation key inputs before processing.",
  "id": "GHSA-2488-w585-72ch",
  "modified": "2025-09-26T16:58:56Z",
  "published": "2025-09-24T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57354"
    },
    {
      "type": "WEB",
      "url": "https://github.com/martinandert/counterpart/issues/54"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57354"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/martinandert/counterpart"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "counterpart vulnerable to prototype pollution"
}

GHSA-26MH-XHV7-944G

Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-08 15:31
VLAI
Details

ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T20:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-26mh-xhv7-944g",
  "modified": "2024-08-08T15:31:27Z",
  "published": "2024-07-30T21:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39012"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/acfbd724a4b73bfb5d030575b653453c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2733-6C58-PF27

Vulnerability from github – Published: 2026-01-29 22:21 – Updated: 2026-02-27 20:45
VLAI
Summary
deepHas vulnerable to Prototype Pollution via constructor.prototype
Details

Summary

A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.

Details

The vulnerability resides in the add() function and indexer() function implemented within deepHas.js. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC

By doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or proto.polluted resulting in prototype pollution.

This issue affects all JavaScript runtimes that rely on npm packages (including Node.js, Deno, and Bun) and is independent of the operating system.

PoC

Steps to reproduce

  1. Install version 1.0.7 of deephas using npm install
  2. Run one of the following code snippets:
//PoC 1
Object.prototype.hasOwnProperty = () => true;
console.log({}.polluted);
const dh = require('deephas');
let obj = {};
dh.set(obj, 'constructor.prototype.polluted', 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred

OR

//PoC 2
String.prototype.indexOf = () => -1;
console.log({}.polluted);
const dh = require('deephas');
let obj = {};
dh.set(obj, '__proto__.polluted', 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }'); // prints yes => the patch is bypassed and prototype pollution occurred

Expected behavior

Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console:

undefined
undefined OR throw an Error

Actual behavior

Object.prototype is polluted and the property polluted becomes globally accessible. This is printed on the console:

undefined
yes

Impact

This is a prototype pollution vulnerability, which can have severe security implications depending on how deephas is used by downstream applications. Any application that processes attacker-controlled input using deephas.set may be affected. It could potentially lead to the following problems: 1. Authentication bypass 2. Denial of service 4. Remote code execution (if polluted property is passed to sinks like eval or child_process)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deephas"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-29T22:21:32Z",
    "nvd_published_at": "2026-01-29T22:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.\n\n### Details\nThe vulnerability resides in the `add()` function and `indexer()` function implemented within `deepHas.js`. Although version 1.0.7 attempts to prevent prototype pollution by checking property ownership (e.g., using Object.hasOwnProperty) and by checking against forbidden string usage (using String.prototype.indexOf), this check can be bypassed as shown in the PoC\n\nBy doing so, an attacker can inject properties into Object.prototype through a payload such as constructor.prototype.polluted or __proto__.polluted resulting in prototype pollution.\n\nThis issue affects all JavaScript runtimes that rely on npm packages (including Node.js, Deno, and Bun) and is independent of the operating system.\n\n### PoC\n#### Steps to reproduce\n1. Install version 1.0.7 of `deephas` using npm install\n2. Run one of the following code snippets:\n\n```javascript\n//PoC 1\nObject.prototype.hasOwnProperty = () =\u003e true;\nconsole.log({}.polluted);\nconst dh = require(\u0027deephas\u0027);\nlet obj = {};\ndh.set(obj, \u0027constructor.prototype.polluted\u0027, \u0027yes\u0027);\nconsole.log(\u0027{ \u0027 + obj.polluted + \u0027, \u0027 + \u0027yes\u0027 + \u0027 }\u0027); // prints yes =\u003e the patch is bypassed and prototype pollution occurred\n```\nOR\n\n```javascript\n//PoC 2\nString.prototype.indexOf = () =\u003e -1;\nconsole.log({}.polluted);\nconst dh = require(\u0027deephas\u0027);\nlet obj = {};\ndh.set(obj, \u0027__proto__.polluted\u0027, \u0027yes\u0027);\nconsole.log(\u0027{ \u0027 + obj.polluted + \u0027, \u0027 + \u0027yes\u0027 + \u0027 }\u0027); // prints yes =\u003e the patch is bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\nObject.prototype is polluted and the property polluted becomes globally accessible.\nThis is printed on the console:\n```\nundefined\nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how deephas is used by downstream applications. Any application that processes attacker-controlled input using `deephas.set` may be affected.\nIt could potentially lead to the following problems:\n1. Authentication bypass\n2. Denial of service\n4. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
  "id": "GHSA-2733-6c58-pf27",
  "modified": "2026-02-27T20:45:38Z",
  "published": "2026-01-29T22:21:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25047"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sharpred/deepHas"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "deepHas vulnerable to Prototype Pollution via constructor.prototype"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.