Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

781 vulnerabilities reference this CWE, most recent first.

GHSA-5P42-M6F3-HPMJ

Vulnerability from github – Published: 2023-08-17 00:30 – Updated: 2023-08-24 22:28
VLAI
Summary
tree-kit Prototype Pollution vulnerability
Details

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tree-kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-17T19:06:27Z",
    "nvd_published_at": "2023-08-16T22:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.",
  "id": "GHSA-5p42-m6f3-hpmj",
  "modified": "2023-08-24T22:28:41Z",
  "published": "2023-08-17T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cronvel/tree-kit/commit/61bf10cf0dbddaeea3f198cfe7cb469f360d82bc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cronvel/tree-kit"
    },
    {
      "type": "WEB",
      "url": "https://www.code-intelligence.com/blog/treekit-prototype-pollution-cve-2023-38894"
    },
    {
      "type": "WEB",
      "url": "http://tree-kit.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "tree-kit Prototype Pollution vulnerability"
}

GHSA-5PG7-V24C-9RP9

Vulnerability from github – Published: 2021-05-18 01:53 – Updated: 2021-04-19 22:11
VLAI
Summary
Prototype pollution in controlled-merge
Details

Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "controlled-merge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T22:11:46Z",
    "nvd_published_at": "2020-11-15T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Prototype pollution vulnerability in \u0027controlled-merge\u0027 versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-5pg7-v24c-9rp9",
  "modified": "2021-04-19T22:11:46Z",
  "published": "2021-05-18T01:53:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hlfshell/controlled-merge/commit/5a4b2e9ffe5a0be7f8843d4ab038599d3ae5f9d4"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/controlled-merge"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in controlled-merge"
}

GHSA-5PMH-H3MV-VX4H

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-07 18:31
VLAI
Details

A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T22:15:32Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-5pmh-h3mv-vx4h",
  "modified": "2025-02-07T18:31:19Z",
  "published": "2025-02-06T06:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57084"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/3dbeb208c3e22f90a601818ccd06a948"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RRQ-PXF6-6JX5

Vulnerability from github – Published: 2022-01-08 00:22 – Updated: 2022-01-07 22:20
VLAI
Summary
Prototype Pollution in node-forge debug API.
Details

Impact

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Patches

The forge.debug API and related functions were removed in 1.0.0.

Workarounds

Don't use the forge.debug API directly or indirectly with untrusted input.

References

  • https://www.huntr.dev/bounties/1-npm-node-forge/

For more information

If you have any questions or comments about this advisory: * Open an issue in forge. * Email us at support@digitalbazaar.com.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-forge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-07T22:20:53Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nThe `forge.debug` API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised.  It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.\n\n### Patches\nThe `forge.debug` API and related functions were removed in 1.0.0.\n\n### Workarounds\nDon\u0027t use the `forge.debug` API directly or indirectly with untrusted input.\n\n### References\n- https://www.huntr.dev/bounties/1-npm-node-forge/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge).\n* Email us at support@digitalbazaar.com.",
  "id": "GHSA-5rrq-pxf6-6jx5",
  "modified": "2022-01-07T22:20:53Z",
  "published": "2022-01-08T00:22:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5rrq-pxf6-6jx5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/digitalbazaar/forge"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in node-forge debug API."
}

GHSA-5VM6-5FWC-4G9H

Vulnerability from github – Published: 2023-11-01 12:30 – Updated: 2023-11-09 21:30
VLAI
Details

Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting __proto__[tag] and __proto__[text].

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-01T10:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "\nPrototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim\u2019s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`.\n\n\n\n\n\n",
  "id": "GHSA-5vm6-5fwc-4g9h",
  "modified": "2023-11-09T21:30:34Z",
  "published": "2023-11-01T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1717"
    },
    {
      "type": "WEB",
      "url": "https://starlabs.sg/advisories/23/23-1717"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XJX-4XCM-HPCM

Vulnerability from github – Published: 2021-12-10 18:53 – Updated: 2022-07-05 18:01
VLAI
Summary
Prototype Pollution in ts-nodash
Details

ts-nodash before version 1.2.7 is vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ts-nodash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-06T14:35:53Z",
    "nvd_published_at": "2021-07-02T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "`ts-nodash` before version 1.2.7 is vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.",
  "id": "GHSA-5xjx-4xcm-hpcm",
  "modified": "2022-07-05T18:01:53Z",
  "published": "2021-12-10T18:53:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BadOPCode/NoDash/commit/b9cc2b3b49f6cd5228e406bc57e17a28b998fea5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BadOPCode/NoDash"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BadOPCode/NoDash/blob/master/src/Merge.ts"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-TSNODASH-1311009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in ts-nodash"
}

GHSA-624G-8QJG-8QXF

Vulnerability from github – Published: 2024-04-23 21:15 – Updated: 2024-06-10 20:12
VLAI
Summary
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function
Details

Summary

Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions.

PoC

const { parseWithZod } = require('@conform-to/zod');
const { z } = require("zod"); 

const param = new URLSearchParams("__proto__.pollution=polluted");
const schema = z.object({ "a": z.string() });

parseWithZod(param, { schema });
console.log("pollution:", ({}).pollution); // should print "polluted"

Details

The invocation of the parseWithZod function in the above PoC triggers the setValue function through getSubmissionContext and parse, executing the following process, resulting in prototype pollution:

let pointer = value;

pointer.__proto__ = pointer.__proto__;
pointer = pointer.__proto__;

pointer.polluted = "polluted";

This is caused by the lack of object existence checking on line 117 in formdata.ts, where the code only checks for the presence of pointer[key] without proper validation.

Impact

Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/zod"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/yup"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/zod"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/yup"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@conform-to/dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T21:15:55Z",
    "nvd_published_at": "2024-04-23T21:15:48Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nConform allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to `parseWith...` functions.\n\n### PoC\n```javascript\nconst { parseWithZod } = require(\u0027@conform-to/zod\u0027);\nconst { z } = require(\"zod\"); \n\nconst param = new URLSearchParams(\"__proto__.pollution=polluted\");\nconst schema = z.object({ \"a\": z.string() });\n\nparseWithZod(param, { schema });\nconsole.log(\"pollution:\", ({}).pollution); // should print \"polluted\"\n```\n\n### Details\n\nThe invocation of the `parseWithZod` function in the above PoC triggers the `setValue` function through `getSubmissionContext` and `parse`, executing the following process, resulting in prototype pollution:\n\n```javascript\nlet pointer = value;\n\npointer.__proto__ = pointer.__proto__;\npointer = pointer.__proto__;\n\npointer.polluted = \"polluted\";\n```\n\nThis is caused by the lack of object existence checking on [line 117 in formdata.ts](https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117), where the code only checks for the presence of `pointer[key]` without proper validation.\n\n### Impact\nApplications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability.\n",
  "id": "GHSA-624g-8qjg-8qxf",
  "modified": "2024-06-10T20:12:58Z",
  "published": "2024-04-23T21:15:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32866"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edmundhung/conform/commit/cb604dd58b99e2d12716d901a23bfca724e741ef"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edmundhung/conform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.ts#L117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Conform contains a Prototype Pollution Vulnerability in `parseWith...` function"
}

GHSA-62F6-MRCJ-V8H5

Vulnerability from github – Published: 2026-03-03 22:12 – Updated: 2026-03-18 21:51
VLAI
Summary
OpenClaw's runtime /debug override path accepted prototype-reserved keys
Details

Summary

OpenClaw accepted prototype-reserved keys in runtime /debug set override object values (__proto__, constructor, prototype).

Impact

/debug is disabled by default, and exploitation requires an already authorized /debug set caller. No unauthenticated vector was identified.

This issue affects runtime in-memory overrides only (non-persistent and cleared on restart/reset). Given the required prior authorization boundary, this is treated as defense-in-depth hardening for command flag evaluation.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published vulnerable version confirmed: 2026.2.19-2
  • Vulnerable range: <= 2026.2.19-2
  • Patched in planned next release: 2026.2.21

Technical Details

  • Runtime override merges now block reserved prototype keys during deep merge.
  • Runtime override writes now sanitize nested object values to remove reserved prototype keys before storing overrides.
  • Restricted command gates (bash, config, debug) now require own-property boolean flags, preventing inherited prototype values from enabling commands.

Fix Commit(s)

  • fbb79d4013000552d6a2c23b9613d8b3cb92f6b6

Release Process Note

patched_versions is pre-set to 2026.2.21 so after the npm release is live, this advisory can be published immediately.

OpenClaw thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T22:12:20Z",
    "nvd_published_at": "2026-03-18T02:16:23Z",
    "severity": "LOW"
  },
  "details": "### Summary\nOpenClaw accepted prototype-reserved keys in runtime `/debug set` override object values (`__proto__`, `constructor`, `prototype`).\n\n### Impact\n`/debug` is disabled by default, and exploitation requires an already authorized `/debug set` caller. No unauthenticated vector was identified.\n\nThis issue affects runtime in-memory overrides only (non-persistent and cleared on restart/reset). Given the required prior authorization boundary, this is treated as defense-in-depth hardening for command flag evaluation.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published vulnerable version confirmed: `2026.2.19-2`\n- Vulnerable range: `\u003c= 2026.2.19-2`\n- Patched in planned next release: `2026.2.21`\n\n### Technical Details\n- Runtime override merges now block reserved prototype keys during deep merge.\n- Runtime override writes now sanitize nested object values to remove reserved prototype keys before storing overrides.\n- Restricted command gates (`bash`, `config`, `debug`) now require own-property boolean flags, preventing inherited prototype values from enabling commands.\n\n### Fix Commit(s)\n- `fbb79d4013000552d6a2c23b9613d8b3cb92f6b6`\n\n### Release Process Note\n`patched_versions` is pre-set to `2026.2.21` so after the npm release is live, this advisory can be published immediately.\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-62f6-mrcj-v8h5",
  "modified": "2026-03-18T21:51:56Z",
  "published": "2026-03-03T22:12:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-62f6-mrcj-v8h5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/fbb79d4013000552d6a2c23b9613d8b3cb92f6b6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-prototype-pollution-via-debug-override-path"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s runtime /debug override path accepted prototype-reserved keys"
}

GHSA-6339-GV7W-G5F4

Vulnerability from github – Published: 2024-10-08 06:30 – Updated: 2024-10-08 14:37
VLAI
Summary
SAP HANA Node.js client package vulnerable to Prototype Pollution
Details

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@sap/hana-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.21.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-08T14:37:55Z",
    "nvd_published_at": "2024-10-08T04:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.",
  "id": "GHSA-6339-gv7w-g5f4",
  "modified": "2024-10-08T14:37:55Z",
  "published": "2024-10-08T06:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45277"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3520100"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@sap/hana-client?activeTab=code"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SAP HANA Node.js client package vulnerable to Prototype Pollution"
}

GHSA-653V-RQX9-J85P

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-16 20:50
VLAI
Summary
deep-object-diff vulnerable to Prototype Pollution
Details

deep-object-diff before version 1.1.6 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. This issue was fixed in version 1.1.9.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deep-object-diff"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.6"
            },
            {
              "fixed": "1.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T14:48:51Z",
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "deep-object-diff before version 1.1.6 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited. This issue was fixed in version 1.1.9.",
  "id": "GHSA-653v-rqx9-j85p",
  "modified": "2022-11-16T20:50:01Z",
  "published": "2022-11-04T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattphillips/deep-object-diff/issues/85"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattphillips/deep-object-diff/issues/85#issuecomment-1312450353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattphillips/deep-object-diff/pull/87/commits/55f9c3c70cf0d54cb30291e949fb8682fa3c5d9f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattphillips/deep-object-diff/pull/87/commits/9576963b68b955e88610aa4f0c696a1aafc1119d"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/heldens"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattphillips/deep-object-diff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "deep-object-diff vulnerable to Prototype Pollution"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.