Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

781 vulnerabilities reference this CWE, most recent first.

GHSA-FHV8-FX5F-7FXF

Vulnerability from github – Published: 2021-09-20 19:53 – Updated: 2024-12-06 18:20
VLAI
Summary
Prototype Pollution in the merge and clone helper methods
Details

Impact

Using merge and clone helper methods in the src/core/util.ts module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.

Patches

It has been patched in https://github.com/ecomfe/zrender/pull/826. Users should update zrender to 5.2.1. and update echarts to 5.2.1 if project is using echarts.

References

NA

For more information

NA

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "zrender"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "zrender"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-17T17:51:46Z",
    "nvd_published_at": "2021-09-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUsing `merge` and `clone` helper methods in the `src/core/util.ts` module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.\n\n### Patches\n \nIt has been patched in https://github.com/ecomfe/zrender/pull/826. \nUsers should update zrender to `5.2.1`.  and update echarts to `5.2.1` if project is using echarts.\n\n### References\nNA\n\n### For more information\nNA\n",
  "id": "GHSA-fhv8-fx5f-7fxf",
  "modified": "2024-12-06T18:20:49Z",
  "published": "2021-09-20T19:53:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/pull/826"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ecomfe/zrender"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/releases/tag/5.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in the merge and clone helper methods"
}

GHSA-FM93-FHH2-CG2C

Vulnerability from github – Published: 2022-01-27 14:21 – Updated: 2025-07-18 19:44
VLAI
Summary
Duplicate Advisory: Prototype Pollution in min-dash
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-2m53-83f3-562j. This link is maintained to preserve external references.

Original Description

The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "min-dash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-24T22:51:52Z",
    "nvd_published_at": "2022-01-21T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-2m53-83f3-562j. This link is maintained to preserve external references.\n\n## Original Description\nThe package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.",
  "id": "GHSA-fm93-fhh2-cg2c",
  "modified": "2025-07-18T19:44:32Z",
  "published": "2022-01-27T14:21:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bpmn-io/min-dash/pull/21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bpmn-io/min-dash/pull/21/commits/5ab05cbc4fd8d5eafb7db540c491ed0906b9d320"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bpmn-io/min-dash"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bpmn-io/min-dash/blob/c4d579c0eb2ed0739592111c3906b198921d3f52/lib/object.js%23L32"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2342127"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-MINDASH-2340605"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Prototype Pollution in min-dash",
  "withdrawn": "2025-07-18T19:44:32Z"
}

GHSA-FMRR-MX6J-H3H5

Vulnerability from github – Published: 2021-05-06 18:12 – Updated: 2021-05-05 18:50
VLAI
Summary
Prototype Pollution in confucious
Details

All versions of package confucious up to and including version 0.0.12 are vulnerable to Prototype Pollution via the set function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "confucious"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T18:50:23Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package confucious up to and including version 0.0.12 are vulnerable to Prototype Pollution via the set function.",
  "id": "GHSA-fmrr-mx6j-h3h5",
  "modified": "2021-05-05T18:50:23Z",
  "published": "2021-05-06T18:12:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7714"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-CONFUCIOUS-598665"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in confucious"
}

GHSA-FP82-2H99-3FPP

Vulnerability from github – Published: 2018-09-18 13:47 – Updated: 2022-04-26 20:44
VLAI
Summary
Prototype Pollution in async merge-object
Details

The utilities function in all versions of the merge-object node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "merge-object"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-3753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:35:00Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "The utilities function in all versions of the merge-object node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.",
  "id": "GHSA-fp82-2h99-3fpp",
  "modified": "2022-04-26T20:44:24Z",
  "published": "2018-09-18T13:47:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3753"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/310706"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in async merge-object"
}

GHSA-FQG8-VFV7-8FJ8

Vulnerability from github – Published: 2024-03-04 20:43 – Updated: 2024-03-06 21:36
VLAI
Summary
JSONata expression can pollute the "Object" prototype
Details

Impact

In JSONata versions >= 1.4.0, < 1.8.7 and >= 2.0.0, < 2.0.4, a malicious expression can use the transform operator to override properties on the Object constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.

Patch

This issue has been fixed in JSONata versions >= 1.8.7 and >= 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. The following patch can be applied if updating is not possible.

--- a/src/jsonata.js
+++ b/src/jsonata.js
@@ -1293,6 +1293,13 @@ var jsonata = (function() {
                 }
                 for(var ii = 0; ii < matches.length; ii++) {
                     var match = matches[ii];
+                    if (match && (match.isPrototypeOf(result) || match instanceof Object.constructor)) {
+                        throw {
+                            code: "D1010",
+                            stack: (new Error()).stack,
+                            position: expr.position
+                        };
+                    }
                     // evaluate the update value for each match
                     var update = await evaluate(expr.update, match, environment);
                     // update must be an object
@@ -1539,7 +1546,7 @@ var jsonata = (function() {
                 if (typeof err.token == 'undefined' && typeof proc.token !== 'undefined') {
                     err.token = proc.token;
                 }
-                err.position = proc.position;
+                err.position = proc.position || err.position;
             }
             throw err;
         }
@@ -1972,6 +1979,7 @@ var jsonata = (function() {
         "T1007": "Attempted to partially apply a non-function. Did you mean ${{{token}}}?",
         "T1008": "Attempted to partially apply a non-function",
         "D1009": "Multiple key definitions evaluate to same key: {{value}}",
+        "D1010": "Attempted to access the Javascript object prototype", // Javascript specific 
         "T1010": "The matcher function argument passed to function {{token}} does not return the correct object structure",
         "T2001": "The left side of the {{token}} operator must evaluate to a number",
         "T2002": "The right side of the {{token}} operator must evaluate to a number",

References

https://github.com/jsonata-js/jsonata/releases/tag/v2.0.4

Credit

Thank you to Albert Pedersen of Cloudflare for disclosing this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsonata"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsonata"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-04T20:43:12Z",
    "nvd_published_at": "2024-03-06T20:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIn JSONata versions `\u003e= 1.4.0, \u003c 1.8.7` and `\u003e= 2.0.0, \u003c 2.0.4`, a malicious expression can use the [transform operator](https://docs.jsonata.org/other-operators#-------transform) to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions.\n\n### Patch\n\nThis issue has been fixed in JSONata versions `\u003e= 1.8.7` and `\u003e= 2.0.4`. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. The following patch can be applied if updating is not possible.\n\n```patch\n--- a/src/jsonata.js\n+++ b/src/jsonata.js\n@@ -1293,6 +1293,13 @@ var jsonata = (function() {\n                 }\n                 for(var ii = 0; ii \u003c matches.length; ii++) {\n                     var match = matches[ii];\n+                    if (match \u0026\u0026 (match.isPrototypeOf(result) || match instanceof Object.constructor)) {\n+                        throw {\n+                            code: \"D1010\",\n+                            stack: (new Error()).stack,\n+                            position: expr.position\n+                        };\n+                    }\n                     // evaluate the update value for each match\n                     var update = await evaluate(expr.update, match, environment);\n                     // update must be an object\n@@ -1539,7 +1546,7 @@ var jsonata = (function() {\n                 if (typeof err.token == \u0027undefined\u0027 \u0026\u0026 typeof proc.token !== \u0027undefined\u0027) {\n                     err.token = proc.token;\n                 }\n-                err.position = proc.position;\n+                err.position = proc.position || err.position;\n             }\n             throw err;\n         }\n@@ -1972,6 +1979,7 @@ var jsonata = (function() {\n         \"T1007\": \"Attempted to partially apply a non-function. Did you mean ${{{token}}}?\",\n         \"T1008\": \"Attempted to partially apply a non-function\",\n         \"D1009\": \"Multiple key definitions evaluate to same key: {{value}}\",\n+        \"D1010\": \"Attempted to access the Javascript object prototype\", // Javascript specific \n         \"T1010\": \"The matcher function argument passed to function {{token}} does not return the correct object structure\",\n         \"T2001\": \"The left side of the {{token}} operator must evaluate to a number\",\n         \"T2002\": \"The right side of the {{token}} operator must evaluate to a number\",\n```\n\n### References\n\nhttps://github.com/jsonata-js/jsonata/releases/tag/v2.0.4\n\n### Credit\n\nThank you to Albert Pedersen of Cloudflare for disclosing this issue.\n",
  "id": "GHSA-fqg8-vfv7-8fj8",
  "modified": "2024-03-06T21:36:55Z",
  "published": "2024-03-04T20:43:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/security/advisories/GHSA-fqg8-vfv7-8fj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/commit/1d579dbe99c19fbe509f5ba2c6db7959b0d456d1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/commit/335d38f6278e96c908b24183f1c9c90afc8ae00c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/commit/c907b5e517bb718015fcbd993d742ba6202f2be2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jsonata-js/jsonata"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/releases/tag/v2.0.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "JSONata expression can pollute the \"Object\" prototype"
}

GHSA-FQQ9-F3PW-4CFF

Vulnerability from github – Published: 2022-02-03 00:00 – Updated: 2022-02-06 00:01
VLAI
Details

Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-02T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.",
  "id": "GHSA-fqq9-f3pw-4cff",
  "modified": "2022-02-06T00:01:08Z",
  "published": "2022-02-03T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0432"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mastodon/mastodon/commit/4d6d4b43c6186a13e67b92eaf70fe1b70ea24a09"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/d06da292-7716-4d74-a129-dd04773398d7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FVQR-27WR-82FM

Vulnerability from github – Published: 2018-07-26 15:14 – Updated: 2025-08-12 21:37
VLAI
Summary
Prototype Pollution in lodash
Details

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.17.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "lodash-rails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.17.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-3721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-471"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:35:26Z",
    "nvd_published_at": "2018-06-07T02:29:08Z",
    "severity": "MODERATE"
  },
  "details": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are \u0027defaultsDeep\u0027, \u0027merge\u0027, and \u0027mergeWith\u0027 which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.",
  "id": "GHSA-fvqr-27wr-82fm",
  "modified": "2025-08-12T21:37:06Z",
  "published": "2018-07-26T15:14:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/310443"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190919-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in lodash"
}

GHSA-FW45-938V-P26J

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2024-04-22 23:15
VLAI
Summary
mootools-more vulnerable to prototype pollution
Details

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mootools-more"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-20088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T23:15:04Z",
    "nvd_published_at": "2021-04-23T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype.",
  "id": "GHSA-fw45-938v-p26j",
  "modified": "2024-04-22T23:15:04Z",
  "published": "2022-05-24T22:01:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20088"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/mootools-more.md"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mootools/mootools-more"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mootools-more vulnerable to prototype pollution"
}

GHSA-FW9Q-39R9-C252

Vulnerability from github – Published: 2026-04-10 20:18 – Updated: 2026-04-10 21:37
VLAI
Summary
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`
Details

GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash set() Guard in langsmith-sdk

Severity: Medium (CVSS ~5.6) Status: Fixed in 0.5.18


Summary

The LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process.


Affected Products

Product Affected Versions Component
langsmith (npm) <= 0.5.17 js/src/utils/lodash/baseAssignValue.ts, js/src/anonymizer/index.ts
langchain-ai/langsmith-sdk GitHub main branch (as of 2026-03-24) JS/TypeScript SDK

Not affected: The Python SDK (langsmith on PyPI) does not use lodash or an equivalent pattern.


Root Cause

The SDK vendors an internal copy of lodash's set() function at js/src/utils/lodash/. The baseAssignValue() function at baseAssignValue.ts:11 implements a guard for prototype pollution:

function baseAssignValue(object: Record<string, any>, key: string, value: any) {
  if (key === "__proto__") {
    Object.defineProperty(object, key, {
      configurable: true, enumerable: true, value: value, writable: true,
    });
  } else {
    object[key] = value;  // ← No guard for "constructor" or "prototype" keys
  }
}

This blocks __proto__ pollution but does not block the constructor.prototype traversal path. When set() is called with a path like "constructor.prototype.polluted":

  1. castPath() splits it into ["constructor", "prototype", "polluted"]
  2. baseSet() iterates: obj.constructorObjectObject.prototype
  3. assignValue(Object.prototype, "polluted", value) calls baseAssignValue()
  4. Key is "polluted" (not "__proto__"), so the guard is bypassed
  5. Object.prototype.polluted = value — all objects are polluted

Attack Vector via Anonymizer

The createAnonymizer() API (importable as langsmith/anonymizer) processes data by:

  1. Extracting string nodesextractStringNodes() walks an object recursively and builds dotted paths from keys
  2. Applying regex replacements — If a string value matches a configured pattern, the node is marked for update (anonymizer/index.ts:95)
  3. Writing back with set()set(mutateValue, node.path, node.value) writes the replaced value back (anonymizer/index.ts:123)

An attacker who controls keys in data being anonymized can construct a nested object where the path resolves to constructor.prototype.X:

{
  wrapper: {
    "constructor.prototype.isAdmin": "contains-secret-pattern"
  }
}

extractStringNodes() produces path "wrapper.constructor.prototype.isAdmin". When the replacement triggers and set() writes back, it traverses up to Object.prototype.

Although createAnonymizer() uses deepClone() at anonymizer/index.ts:62 (JSON.parse(JSON.stringify(data))), the prototype chain traversal escapes the clone boundary because clone.wrapper.constructor resolves to the global Object constructor, not a cloned copy.


Proof of Concept

import { createAnonymizer } from "langsmith/anonymizer";

const anonymizer = createAnonymizer([
  { pattern: "secret", replace: "[REDACTED]" }
]);

console.log("BEFORE:", ({}).isAdmin);  // undefined

const maliciousInput = {
  wrapper: {
    "constructor.prototype.isAdmin": "this-is-secret-data"
  }
};

anonymizer(maliciousInput);

console.log("AFTER:", ({}).isAdmin);   // "this-is-[REDACTED]-data"
console.log("Array:", [].isAdmin);     // "this-is-[REDACTED]-data"

function checkAccess(user) {
  if (user.isAdmin) return "ACCESS GRANTED";
  return "ACCESS DENIED";
}
console.log(checkAccess({ name: "bob" }));  // "ACCESS GRANTED" ← BYPASSED

Impact

Prototype pollution in a Node.js process can enable:

  1. Authentication bypassif (user.isAdmin) checks succeed on all objects
  2. Remote Code Execution — Exploitable in template engines (Pug, EJS, Handlebars, Nunjucks) via polluted prototype properties that reach eval()/Function() sinks
  3. Denial of Service — Overwriting toString, valueOf, or hasOwnProperty on all objects
  4. Data exfiltration — Polluting serialization methods to inject attacker-controlled values

Remediation

In baseAssignValue.ts, extend the guard to cover constructor and prototype keys:

function baseAssignValue(object, key, value) {
  if (key === "__proto__" || key === "constructor" || key === "prototype") {
    Object.defineProperty(object, key, {
      configurable: true, enumerable: true, value, writable: true,
    });
  } else {
    object[key] = value;
  }
}

As defense in depth, extractStringNodes() in anonymizer/index.ts should also sanitize or reject path segments matching constructor or prototype before passing them to set().


Timeline

Date Event
2026-03-24 Initial report submitted
2026-04-09 Vendor confirmed; fixed in 0.5.18

Credits

Reported by: OneThing4101

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.17"
      },
      "package": {
        "ecosystem": "npm",
        "name": "langsmith"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T20:18:02Z",
    "nvd_published_at": "2026-04-10T20:16:24Z",
    "severity": "MODERATE"
  },
  "details": "# GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash `set()` Guard in `langsmith-sdk`\n\n**Severity:** Medium (CVSS ~5.6)\n**Status:** Fixed in 0.5.18\n\n---\n\n## Summary\n\nThe LangSmith JavaScript/TypeScript SDK (`langsmith`) contains an incomplete prototype pollution fix in its internally vendored lodash `set()` utility. The `baseAssignValue()` function only guards against the `__proto__` key, but fails to prevent traversal via `constructor.prototype`. This allows an attacker who controls keys in data processed by the `createAnonymizer()` API to pollute `Object.prototype`, affecting all objects in the Node.js process.\n\n---\n\n## Affected Products\n\n| Product | Affected Versions | Component |\n|---------|-------------------|-----------|\n| `langsmith` (npm) | \u003c= 0.5.17 | `js/src/utils/lodash/baseAssignValue.ts`, `js/src/anonymizer/index.ts` |\n| langchain-ai/langsmith-sdk | GitHub main branch (as of 2026-03-24) | JS/TypeScript SDK |\n\n**Not affected:** The Python SDK (`langsmith` on PyPI) does not use lodash or an equivalent pattern.\n\n---\n\n## Root Cause\n\nThe SDK vendors an internal copy of lodash\u0027s `set()` function at `js/src/utils/lodash/`. The `baseAssignValue()` function at `baseAssignValue.ts:11` implements a guard for prototype pollution:\n\n```typescript\nfunction baseAssignValue(object: Record\u003cstring, any\u003e, key: string, value: any) {\n  if (key === \"__proto__\") {\n    Object.defineProperty(object, key, {\n      configurable: true, enumerable: true, value: value, writable: true,\n    });\n  } else {\n    object[key] = value;  // \u2190 No guard for \"constructor\" or \"prototype\" keys\n  }\n}\n```\n\nThis blocks `__proto__` pollution but does **not** block the `constructor.prototype` traversal path. When `set()` is called with a path like `\"constructor.prototype.polluted\"`:\n\n1. `castPath()` splits it into `[\"constructor\", \"prototype\", \"polluted\"]`\n2. `baseSet()` iterates: `obj.constructor` \u2192 `Object` \u2192 `Object.prototype`\n3. `assignValue(Object.prototype, \"polluted\", value)` calls `baseAssignValue()`\n4. Key is `\"polluted\"` (not `\"__proto__\"`), so the guard is bypassed\n5. `Object.prototype.polluted = value` \u2014 all objects are polluted\n\n---\n\n## Attack Vector via Anonymizer\n\nThe `createAnonymizer()` API (importable as `langsmith/anonymizer`) processes data by:\n\n1. **Extracting string nodes** \u2014 `extractStringNodes()` walks an object recursively and builds dotted paths from keys\n2. **Applying regex replacements** \u2014 If a string value matches a configured pattern, the node is marked for update (`anonymizer/index.ts:95`)\n3. **Writing back with `set()`** \u2014 `set(mutateValue, node.path, node.value)` writes the replaced value back (`anonymizer/index.ts:123`)\n\nAn attacker who controls keys in data being anonymized can construct a nested object where the path resolves to `constructor.prototype.X`:\n\n```javascript\n{\n  wrapper: {\n    \"constructor.prototype.isAdmin\": \"contains-secret-pattern\"\n  }\n}\n```\n\n`extractStringNodes()` produces path `\"wrapper.constructor.prototype.isAdmin\"`. When the replacement triggers and `set()` writes back, it traverses up to `Object.prototype`.\n\nAlthough `createAnonymizer()` uses `deepClone()` at `anonymizer/index.ts:62` (`JSON.parse(JSON.stringify(data))`), the prototype chain traversal escapes the clone boundary because `clone.wrapper.constructor` resolves to the global `Object` constructor, not a cloned copy.\n\n---\n\n## Proof of Concept\n\n```javascript\nimport { createAnonymizer } from \"langsmith/anonymizer\";\n\nconst anonymizer = createAnonymizer([\n  { pattern: \"secret\", replace: \"[REDACTED]\" }\n]);\n\nconsole.log(\"BEFORE:\", ({}).isAdmin);  // undefined\n\nconst maliciousInput = {\n  wrapper: {\n    \"constructor.prototype.isAdmin\": \"this-is-secret-data\"\n  }\n};\n\nanonymizer(maliciousInput);\n\nconsole.log(\"AFTER:\", ({}).isAdmin);   // \"this-is-[REDACTED]-data\"\nconsole.log(\"Array:\", [].isAdmin);     // \"this-is-[REDACTED]-data\"\n\nfunction checkAccess(user) {\n  if (user.isAdmin) return \"ACCESS GRANTED\";\n  return \"ACCESS DENIED\";\n}\nconsole.log(checkAccess({ name: \"bob\" }));  // \"ACCESS GRANTED\" \u2190 BYPASSED\n```\n\n---\n\n## Impact\n\nPrototype pollution in a Node.js process can enable:\n\n1. **Authentication bypass** \u2014 `if (user.isAdmin)` checks succeed on all objects\n2. **Remote Code Execution** \u2014 Exploitable in template engines (Pug, EJS, Handlebars, Nunjucks) via polluted prototype properties that reach `eval()`/`Function()` sinks\n3. **Denial of Service** \u2014 Overwriting `toString`, `valueOf`, or `hasOwnProperty` on all objects\n4. **Data exfiltration** \u2014 Polluting serialization methods to inject attacker-controlled values\n\n---\n\n## Remediation\n\nIn `baseAssignValue.ts`, extend the guard to cover `constructor` and `prototype` keys:\n\n```typescript\nfunction baseAssignValue(object, key, value) {\n  if (key === \"__proto__\" || key === \"constructor\" || key === \"prototype\") {\n    Object.defineProperty(object, key, {\n      configurable: true, enumerable: true, value, writable: true,\n    });\n  } else {\n    object[key] = value;\n  }\n}\n```\n\nAs defense in depth, `extractStringNodes()` in `anonymizer/index.ts` should also sanitize or reject path segments matching `constructor` or `prototype` before passing them to `set()`.\n\n---\n\n## Timeline\n\n| Date | Event |\n|------|-------|\n| 2026-03-24 | Initial report submitted |\n| 2026-04-09 | Vendor confirmed; fixed in 0.5.18 |\n\n---\n\n## Credits\n\nReported by: OneThing4101",
  "id": "GHSA-fw9q-39r9-c252",
  "modified": "2026-04-10T21:37:36Z",
  "published": "2026-04-10T20:18:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langsmith-sdk/pull/2690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langsmith-sdk/commit/31d3c3aec02892f4312baae112f817d6b2f0ebe3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langsmith-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`"
}

GHSA-FWR7-V2MV-HH25

Vulnerability from github – Published: 2022-04-07 00:00 – Updated: 2024-06-24 21:23
VLAI
Summary
Prototype Pollution in async
Details

A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "async"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "async"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-07T22:13:35Z",
    "nvd_published_at": "2022-04-06T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.",
  "id": "GHSA-fwr7-v2mv-hh25",
  "modified": "2024-06-24T21:23:09Z",
  "published": "2022-04-07T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/pull/1828"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/caolan/async"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4"
    },
    {
      "type": "WEB",
      "url": "https://jsfiddle.net/oz5twjd9"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240621-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in async"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.