Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

782 vulnerabilities reference this CWE, most recent first.

GHSA-CR7H-93FH-WHWM

Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-25 17:52
VLAI
Summary
magix-combine-ex vulnerable to prototype pollution
Details

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "magix-combine-ex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-25T17:52:23Z",
    "nvd_published_at": "2025-09-24T20:15:31Z",
    "severity": "LOW"
  },
  "details": "A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
  "id": "GHSA-cr7h-93fh-whwm",
  "modified": "2025-09-25T17:52:42Z",
  "published": "2025-09-24T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thx/magix-combine"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "magix-combine-ex vulnerable to prototype pollution"
}

GHSA-CWCX-RXGC-CMW3

Vulnerability from github – Published: 2021-05-17 20:57 – Updated: 2025-05-01 00:21
VLAI
Summary
Prototype pollution in 101
Details

Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "101"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "1.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T18:01:38Z",
    "nvd_published_at": "2021-05-14T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027101\u0027 versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-cwcx-rxgc-cmw3",
  "modified": "2025-05-01T00:21:05Z",
  "published": "2021-05-17T20:57:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25943"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tjmehta/101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tjmehta/101/blob/d87f63ce2a4cbdc476e8287abd78327c3144d646/set.js#L52"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25943"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in 101"
}

GHSA-CXM3-284P-QC4V

Vulnerability from github – Published: 2020-09-03 15:53 – Updated: 2021-07-29 15:56
VLAI
Summary
Prototype Pollution in sds
Details

Affected versions of sds are vulnerable to prototype pollution. The set function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.

Recommendation

Upgrade to version 4.0.0 or later

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sds"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:01:47Z",
    "nvd_published_at": "2020-04-07T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of `sds` are vulnerable to prototype pollution. The `set` function does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later",
  "id": "GHSA-cxm3-284p-qc4v",
  "modified": "2021-07-29T15:56:20Z",
  "published": "2020-09-03T15:53:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/monsterkodi/sds/blob/master/js/set.js#L31"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SDS-564123"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1506"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in sds"
}

GHSA-F23M-R3PF-42RH

Vulnerability from github – Published: 2026-04-01 23:50 – Updated: 2026-04-01 23:50
VLAI
Summary
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
Details

Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches

This issue is patched in 4.18.0.

Workarounds

None. Upgrade to the patched version.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.17.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "lodash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.17.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "lodash-es"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.17.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "lodash-amd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.unset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:50:27Z",
    "nvd_published_at": "2026-03-31T20:16:26Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\n### Patches\n\nThis issue is patched in 4.18.0.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
  "id": "GHSA-f23m-r3pf-42rh",
  "modified": "2026-04-01T23:50:27Z",
  "published": "2026-04-01T23:50:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lodash/lodash"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"
}

GHSA-F3PP-32QC-36W4

Vulnerability from github – Published: 2021-09-22 20:36 – Updated: 2021-09-22 14:30
VLAI
Summary
Prototype Pollution in jointjs
Details

This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jointjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-22T14:30:35Z",
    "nvd_published_at": "2021-09-21T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.",
  "id": "GHSA-f3pp-32qc-36w4",
  "modified": "2021-09-22T14:30:35Z",
  "published": "2021-09-22T20:36:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/clientIO/joint/pull/1514"
    },
    {
      "type": "WEB",
      "url": "https://github.com/clientIO/joint/commit/e5bf89efef6d5ea572d66870ffd86560de7830a8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/clientIO/joint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/clientIO/joint/releases/tag/v3.4.2"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1655817"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1655816"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JOINTJS-1579578"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in jointjs"
}

GHSA-F49M-VF83-692W

Vulnerability from github – Published: 2026-06-25 17:28 – Updated: 2026-06-25 17:28
VLAI
Summary
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names
Details

Impact

i18next-http-middleware ≤ 3.9.6's missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype.

Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected.

Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.

Patches

Fixed in i18next-http-middleware 3.9.7. A new utils.hasUnsafeKeySegment(key, keySeparator) helper is now used by missingKeyHandler; the configured i18next.options.keySeparator is honoured (default .; false disables segment splitting and only the literal-key denylist applies). Legitimate dotted keys (e.g. "header.title") are unaffected.

The root-cause fix has been shipped in i18next-fs-backend 2.6.6 — see the companion advisory.

Workarounds

If users cannot upgrade immediately:

  • Do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route).
  • Add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on a configured keySeparator.
  • Disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.

Resources

  • Original report by @codeswhite.
  • Companion advisory in i18next-fs-backend: GHSA-2933-q333-qg83.
  • Previous i18next-http-middleware security release: GHSA-5fgg-jcpf-8jjw and GHSA-c3h8-g69v-pjrg (in 3.9.3).
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "i18next-http-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T17:28:12Z",
    "nvd_published_at": "2026-06-15T22:16:17Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\n`i18next-http-middleware` \u2264 3.9.6\u0027s `missingKeyHandler` blocked the literal request-body keys `__proto__`, `constructor`, and `prototype` (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as `\"__proto__.polluted\"`. Downstream backends that split the missing-key string on a configured `keySeparator` (notably `i18next-fs-backend` \u2264 2.6.5) hand these keys to an unguarded `setPath()` walker that writes to `Object.prototype`.\n\nApplications that expose `missingKeyHandler` to untrusted input **AND** use `i18next-fs-backend` \u2264 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected.\n\nDepending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.\n\n### Patches\n\nFixed in **i18next-http-middleware 3.9.7**. A new `utils.hasUnsafeKeySegment(key, keySeparator)` helper is now used by `missingKeyHandler`; the configured `i18next.options.keySeparator` is honoured (default `.`; `false` disables segment splitting and only the literal-key denylist applies). Legitimate dotted keys (e.g. `\"header.title\"`) are unaffected.\n\nThe root-cause fix has been shipped in `i18next-fs-backend` **2.6.6** \u2014 see the companion advisory.\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- Do not expose `missingKeyHandler` to untrusted users (mount it behind authentication, or remove the route).\n- Add a request-body filter ahead of the handler that rejects any top-level key containing `__proto__`, `constructor`, or `prototype` after splitting on a configured `keySeparator`.\n- Disable missing-key persistence (`saveMissing: false`) when accepting writes from untrusted input.\n\n### Resources\n\n- Original report by [@codeswhite](https://github.com/codeswhite).\n- Companion advisory in `i18next-fs-backend`: [GHSA-2933-q333-qg83](https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83).\n- Previous `i18next-http-middleware` security release: GHSA-5fgg-jcpf-8jjw and GHSA-c3h8-g69v-pjrg (in 3.9.3).",
  "id": "GHSA-f49m-vf83-692w",
  "modified": "2026-06-25T17:28:12Z",
  "published": "2026-06-25T17:28:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-f49m-vf83-692w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48714"
    },
    {
      "type": "WEB",
      "url": "https://github.com/i18next/i18next-http-middleware/commit/7c6d26f137d3e940b8d229ca148bca38845faf49"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/i18next/i18next-http-middleware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names"
}

GHSA-F5X2-VJ4H-VG4C

Vulnerability from github – Published: 2026-02-06 19:27 – Updated: 2026-02-07 00:33
VLAI
Summary
AdonisJS multipart body parsing has Prototype Pollution issue
Details

Description

A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts @adonisjs/bodyparser through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.8. This issue has been patched in @adonisjs/bodyparser versions 10.1.3 and 11.0.0-next.9

Details

AdonisJS parses multipart/form-data requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.

Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as __proto__, constructor, or prototype could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.

The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.

Impact

Exploitation requires an application endpoint that accepts and parses multipart/form-data requests.

If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.

Patches

Fixes targeting v6 and v7 have been published below.

Users should upgrade to a version that includes the following fix: - https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 - https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.1.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@adonisjs/bodyparser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.0-next.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@adonisjs/bodyparser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0-next.0"
            },
            {
              "fixed": "11.0.0-next.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25754"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T19:27:30Z",
    "nvd_published_at": "2026-02-06T23:15:54Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nA Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9`\n\n### Details\n\nAdonisJS parses `multipart/form-data` requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.\n\nDue to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as `__proto__`, `constructor`, or `prototype` could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.\n\n**The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.**\n\n### Impact\n\nExploitation requires an application endpoint that accepts and parses `multipart/form-data` requests.\n\nIf exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.\n\n### Patches\n\nFixes targeting v6 and v7 have been published below.\n\nUsers should upgrade to a version that includes the following fix:\n- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3\n- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9",
  "id": "GHSA-f5x2-vj4h-vg4c",
  "modified": "2026-02-07T00:33:30Z",
  "published": "2026-02-06T19:27:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25754"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/adonisjs/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AdonisJS multipart body parsing has Prototype Pollution issue"
}

GHSA-F6V4-CF5J-VF3W

Vulnerability from github – Published: 2024-09-11 06:30 – Updated: 2024-09-11 23:11
VLAI
Summary
dset Prototype Pollution vulnerability
Details

Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-11T23:11:10Z",
    "nvd_published_at": "2024-09-11T05:15:02Z",
    "severity": "HIGH"
  },
  "details": "Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.",
  "id": "GHSA-f6v4-cf5j-vf3w",
  "modified": "2024-09-11T23:11:10Z",
  "published": "2024-09-11T06:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21529"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lukeed/dset"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-DSET-7116691"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "dset Prototype Pollution vulnerability"
}

GHSA-F737-3FH6-JF6W

Vulnerability from github – Published: 2023-04-26 21:30 – Updated: 2023-07-07 22:20
VLAI
Summary
Prototype Pollution in vConsole
Details

vConsole was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vconsole"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-27T13:58:23Z",
    "nvd_published_at": "2023-04-26T21:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "vConsole was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.",
  "id": "GHSA-f737-3fh6-jf6w",
  "modified": "2023-07-07T22:20:18Z",
  "published": "2023-04-26T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30363"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tencent/vConsole/issues/616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tencent/vConsole/commit/b91591703490e032451f7734212f6458bde9be6a"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/1321.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Tencent/vConsole"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tencent/vConsole/releases/tag/v3.15.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in vConsole"
}

GHSA-F74F-3RWG-525W

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 18:31
VLAI
Details

A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T22:15:30Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-f74f-3rwg-525w",
  "modified": "2025-02-06T18:31:05Z",
  "published": "2025-02-06T06:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57064"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/1b40dc7f3836813663c871535039760e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.