CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
782 vulnerabilities reference this CWE, most recent first.
GHSA-CR7H-93FH-WHWM
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-25 17:52A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "magix-combine-ex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57321"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-25T17:52:23Z",
"nvd_published_at": "2025-09-24T20:15:31Z",
"severity": "LOW"
},
"details": "A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
"id": "GHSA-cr7h-93fh-whwm",
"modified": "2025-09-25T17:52:42Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57321"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.js"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321"
},
{
"type": "PACKAGE",
"url": "https://github.com/thx/magix-combine"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "magix-combine-ex vulnerable to prototype pollution"
}
GHSA-CWCX-RXGC-CMW3
Vulnerability from github – Published: 2021-05-17 20:57 – Updated: 2025-05-01 00:21Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "101"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"last_affected": "1.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25943"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-17T18:01:38Z",
"nvd_published_at": "2021-05-14T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u0027101\u0027 versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-cwcx-rxgc-cmw3",
"modified": "2025-05-01T00:21:05Z",
"published": "2021-05-17T20:57:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25943"
},
{
"type": "PACKAGE",
"url": "https://github.com/tjmehta/101"
},
{
"type": "WEB",
"url": "https://github.com/tjmehta/101/blob/d87f63ce2a4cbdc476e8287abd78327c3144d646/set.js#L52"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25943"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in 101"
}
GHSA-CXM3-284P-QC4V
Vulnerability from github – Published: 2020-09-03 15:53 – Updated: 2021-07-29 15:56Affected versions of sds are vulnerable to prototype pollution. The set function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.
Recommendation
Upgrade to version 4.0.0 or later
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sds"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7618"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T19:01:47Z",
"nvd_published_at": "2020-04-07T14:15:00Z",
"severity": "MODERATE"
},
"details": "Affected versions of `sds` are vulnerable to prototype pollution. The `set` function does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later",
"id": "GHSA-cxm3-284p-qc4v",
"modified": "2021-07-29T15:56:20Z",
"published": "2020-09-03T15:53:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7618"
},
{
"type": "WEB",
"url": "https://github.com/monsterkodi/sds/blob/master/js/set.js#L31"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SDS-564123"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in sds"
}
GHSA-F23M-R3PF-42RH
Vulnerability from github – Published: 2026-04-01 23:50 – Updated: 2026-04-01 23:50Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches
This issue is patched in 4.18.0.
Workarounds
None. Upgrade to the patched version.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.23"
},
"package": {
"ecosystem": "npm",
"name": "lodash"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.23"
},
"package": {
"ecosystem": "npm",
"name": "lodash-es"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.23"
},
"package": {
"ecosystem": "npm",
"name": "lodash-amd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.unset"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2950"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T23:50:27Z",
"nvd_published_at": "2026-03-31T20:16:26Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\n### Patches\n\nThis issue is patched in 4.18.0.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
"id": "GHSA-f23m-r3pf-42rh",
"modified": "2026-04-01T23:50:27Z",
"published": "2026-04-01T23:50:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"type": "PACKAGE",
"url": "https://github.com/lodash/lodash"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"
}
GHSA-F3PP-32QC-36W4
Vulnerability from github – Published: 2021-09-22 20:36 – Updated: 2021-09-22 14:30This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jointjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23444"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-22T14:30:35Z",
"nvd_published_at": "2021-09-21T17:15:00Z",
"severity": "MODERATE"
},
"details": "This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function.",
"id": "GHSA-f3pp-32qc-36w4",
"modified": "2021-09-22T14:30:35Z",
"published": "2021-09-22T20:36:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/clientIO/joint/pull/1514"
},
{
"type": "WEB",
"url": "https://github.com/clientIO/joint/commit/e5bf89efef6d5ea572d66870ffd86560de7830a8"
},
{
"type": "PACKAGE",
"url": "https://github.com/clientIO/joint"
},
{
"type": "WEB",
"url": "https://github.com/clientIO/joint/releases/tag/v3.4.2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1655817"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1655816"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JOINTJS-1579578"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in jointjs"
}
GHSA-F49M-VF83-692W
Vulnerability from github – Published: 2026-06-25 17:28 – Updated: 2026-06-25 17:28Impact
i18next-http-middleware ≤ 3.9.6's missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype.
Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected.
Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.
Patches
Fixed in i18next-http-middleware 3.9.7. A new utils.hasUnsafeKeySegment(key, keySeparator) helper is now used by missingKeyHandler; the configured i18next.options.keySeparator is honoured (default .; false disables segment splitting and only the literal-key denylist applies). Legitimate dotted keys (e.g. "header.title") are unaffected.
The root-cause fix has been shipped in i18next-fs-backend 2.6.6 — see the companion advisory.
Workarounds
If users cannot upgrade immediately:
- Do not expose
missingKeyHandlerto untrusted users (mount it behind authentication, or remove the route). - Add a request-body filter ahead of the handler that rejects any top-level key containing
__proto__,constructor, orprototypeafter splitting on a configuredkeySeparator. - Disable missing-key persistence (
saveMissing: false) when accepting writes from untrusted input.
Resources
- Original report by @codeswhite.
- Companion advisory in
i18next-fs-backend: GHSA-2933-q333-qg83. - Previous
i18next-http-middlewaresecurity release: GHSA-5fgg-jcpf-8jjw and GHSA-c3h8-g69v-pjrg (in 3.9.3).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "i18next-http-middleware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48714"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T17:28:12Z",
"nvd_published_at": "2026-06-15T22:16:17Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\n`i18next-http-middleware` \u2264 3.9.6\u0027s `missingKeyHandler` blocked the literal request-body keys `__proto__`, `constructor`, and `prototype` (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as `\"__proto__.polluted\"`. Downstream backends that split the missing-key string on a configured `keySeparator` (notably `i18next-fs-backend` \u2264 2.6.5) hand these keys to an unguarded `setPath()` walker that writes to `Object.prototype`.\n\nApplications that expose `missingKeyHandler` to untrusted input **AND** use `i18next-fs-backend` \u2264 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected.\n\nDepending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.\n\n### Patches\n\nFixed in **i18next-http-middleware 3.9.7**. A new `utils.hasUnsafeKeySegment(key, keySeparator)` helper is now used by `missingKeyHandler`; the configured `i18next.options.keySeparator` is honoured (default `.`; `false` disables segment splitting and only the literal-key denylist applies). Legitimate dotted keys (e.g. `\"header.title\"`) are unaffected.\n\nThe root-cause fix has been shipped in `i18next-fs-backend` **2.6.6** \u2014 see the companion advisory.\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- Do not expose `missingKeyHandler` to untrusted users (mount it behind authentication, or remove the route).\n- Add a request-body filter ahead of the handler that rejects any top-level key containing `__proto__`, `constructor`, or `prototype` after splitting on a configured `keySeparator`.\n- Disable missing-key persistence (`saveMissing: false`) when accepting writes from untrusted input.\n\n### Resources\n\n- Original report by [@codeswhite](https://github.com/codeswhite).\n- Companion advisory in `i18next-fs-backend`: [GHSA-2933-q333-qg83](https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83).\n- Previous `i18next-http-middleware` security release: GHSA-5fgg-jcpf-8jjw and GHSA-c3h8-g69v-pjrg (in 3.9.3).",
"id": "GHSA-f49m-vf83-692w",
"modified": "2026-06-25T17:28:12Z",
"published": "2026-06-25T17:28:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-f49m-vf83-692w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48714"
},
{
"type": "WEB",
"url": "https://github.com/i18next/i18next-http-middleware/commit/7c6d26f137d3e940b8d229ca148bca38845faf49"
},
{
"type": "PACKAGE",
"url": "https://github.com/i18next/i18next-http-middleware"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names"
}
GHSA-F5X2-VJ4H-VG4C
Vulnerability from github – Published: 2026-02-06 19:27 – Updated: 2026-02-07 00:33Description
A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts @adonisjs/bodyparser through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.8. This issue has been patched in @adonisjs/bodyparser versions 10.1.3 and 11.0.0-next.9
Details
AdonisJS parses multipart/form-data requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.
Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as __proto__, constructor, or prototype could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.
The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.
Impact
Exploitation requires an application endpoint that accepts and parses multipart/form-data requests.
If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.
Patches
Fixes targeting v6 and v7 have been published below.
Users should upgrade to a version that includes the following fix: - https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 - https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.2"
},
"package": {
"ecosystem": "npm",
"name": "@adonisjs/bodyparser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.0-next.8"
},
"package": {
"ecosystem": "npm",
"name": "@adonisjs/bodyparser"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-next.0"
},
{
"fixed": "11.0.0-next.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25754"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:27:30Z",
"nvd_published_at": "2026-02-06T23:15:54Z",
"severity": "HIGH"
},
"details": "### Description\n\nA Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9`\n\n### Details\n\nAdonisJS parses `multipart/form-data` requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.\n\nDue to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as `__proto__`, `constructor`, or `prototype` could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.\n\n**The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.**\n\n### Impact\n\nExploitation requires an application endpoint that accepts and parses `multipart/form-data` requests.\n\nIf exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.\n\n### Patches\n\nFixes targeting v6 and v7 have been published below.\n\nUsers should upgrade to a version that includes the following fix:\n- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3\n- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9",
"id": "GHSA-f5x2-vj4h-vg4c",
"modified": "2026-02-07T00:33:30Z",
"published": "2026-02-06T19:27:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25754"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9"
},
{
"type": "PACKAGE",
"url": "https://github.com/adonisjs/core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "AdonisJS multipart body parsing has Prototype Pollution issue"
}
GHSA-F6V4-CF5J-VF3W
Vulnerability from github – Published: 2024-09-11 06:30 – Updated: 2024-09-11 23:11Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21529"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-11T23:11:10Z",
"nvd_published_at": "2024-09-11T05:15:02Z",
"severity": "HIGH"
},
"details": "Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is recursively assigned to all the objects in the program.",
"id": "GHSA-f6v4-cf5j-vf3w",
"modified": "2024-09-11T23:11:10Z",
"published": "2024-09-11T06:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21529"
},
{
"type": "WEB",
"url": "https://github.com/lukeed/dset/commit/16d6154e085bef01e99f01330e5a421a7f098afa"
},
{
"type": "PACKAGE",
"url": "https://github.com/lukeed/dset"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-DSET-7116691"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "dset Prototype Pollution vulnerability"
}
GHSA-F737-3FH6-JF6W
Vulnerability from github – Published: 2023-04-26 21:30 – Updated: 2023-07-07 22:20vConsole was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vconsole"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-30363"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-27T13:58:23Z",
"nvd_published_at": "2023-04-26T21:15:09Z",
"severity": "CRITICAL"
},
"details": "vConsole was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.",
"id": "GHSA-f737-3fh6-jf6w",
"modified": "2023-07-07T22:20:18Z",
"published": "2023-04-26T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30363"
},
{
"type": "WEB",
"url": "https://github.com/Tencent/vConsole/issues/616"
},
{
"type": "WEB",
"url": "https://github.com/Tencent/vConsole/commit/b91591703490e032451f7734212f6458bde9be6a"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/1321.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/Tencent/vConsole"
},
{
"type": "WEB",
"url": "https://github.com/Tencent/vConsole/releases/tag/v3.15.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in vConsole"
}
GHSA-F74F-3RWG-525W
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 18:31A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
{
"affected": [],
"aliases": [
"CVE-2024-57064"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-05T22:15:30Z",
"severity": "HIGH"
},
"details": "A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
"id": "GHSA-f74f-3rwg-525w",
"modified": "2025-02-06T18:31:05Z",
"published": "2025-02-06T06:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57064"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/1b40dc7f3836813663c871535039760e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.