Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

782 vulnerabilities reference this CWE, most recent first.

GHSA-FWR7-V2MV-HH25

Vulnerability from github – Published: 2022-04-07 00:00 – Updated: 2024-06-24 21:23
VLAI
Summary
Prototype Pollution in async
Details

A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "async"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "async"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-07T22:13:35Z",
    "nvd_published_at": "2022-04-06T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the `mapValues()` method.",
  "id": "GHSA-fwr7-v2mv-hh25",
  "modified": "2024-06-24T21:23:09Z",
  "published": "2022-04-07T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/pull/1828"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/caolan/async"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4"
    },
    {
      "type": "WEB",
      "url": "https://jsfiddle.net/oz5twjd9"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240621-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in async"
}

GHSA-FX83-V9X8-X52W

Vulnerability from github – Published: 2026-05-12 15:01 – Updated: 2026-05-14 20:35
VLAI
Summary
protobuf.js: Prototype injection in generated message constructors
Details

Summary

protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance.

Impact

An attacker who can control the properties object passed to a generated protobufjs message constructor or creation helper may be able to modify the prototype chain of the resulting message instance.

This is a per-instance prototype injection issue. It does not pollute Object.prototype or other global prototypes. The impact depends on downstream application behavior, such as relying on inherited properties, prototype methods, or instanceof checks for message objects.

Applications that only decode binary protobuf data, or that construct messages from trusted application-defined objects, are not directly affected by this issue.

Preconditions

  • The application must allow an attacker to control or influence a plain object used to construct a protobufjs message.
  • The object must contain an own enumerable __proto__ property, for example from parsed JSON input.
  • The application must pass that object to a generated message constructor or creation helper that copies arbitrary enumerable properties.

Workarounds

Do not pass attacker-controlled plain objects directly to generated message constructors with affected versions. If untrusted JSON input must be accepted, validate or sanitize object keys before constructing messages, and reject __proto__ properties.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.5.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:01:44Z",
    "nvd_published_at": "2026-05-13T16:16:56Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nprotobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the `__proto__` key. If an application constructed a message from an attacker-controlled plain object, an own enumerable `__proto__` property could alter the prototype of that individual message instance.\n\n## Impact\n\nAn attacker who can control the properties object passed to a generated protobufjs message constructor or creation helper may be able to modify the prototype chain of the resulting message instance.\n\nThis is a per-instance prototype injection issue. It does not pollute `Object.prototype` or other global prototypes. The impact depends on downstream application behavior, such as relying on inherited properties, prototype methods, or `instanceof` checks for message objects.\n\nApplications that only decode binary protobuf data, or that construct messages from trusted application-defined objects, are not directly affected by this issue.\n\n## Preconditions\n\n- The application must allow an attacker to control or influence a plain object used to construct a protobufjs message.\n- The object must contain an own enumerable `__proto__` property, for example from parsed JSON input.\n- The application must pass that object to a generated message constructor or creation helper that copies arbitrary enumerable properties.\n\n## Workarounds\n\nDo not pass attacker-controlled plain objects directly to generated message constructors with affected versions. If untrusted JSON input must be accepted, validate or sanitize object keys before constructing messages, and reject `__proto__` properties.",
  "id": "GHSA-fx83-v9x8-x52w",
  "modified": "2026-05-14T20:35:19Z",
  "published": "2026-05-12T15:01:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-fx83-v9x8-x52w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44292"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/protobufjs/protobuf.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "protobuf.js: Prototype injection in generated message constructors"
}

GHSA-FXWF-45C7-4PPR

Vulnerability from github – Published: 2021-10-12 16:40 – Updated: 2022-01-07 16:07
VLAI
Summary
Prototype pollution in object-hierarchy-access
Details

Overview:Prototype pollution vulnerability in ‘object-hierarchy-access’ versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "object-hierarchy-access"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-11T21:14:17Z",
    "nvd_published_at": "2020-11-12T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Overview:Prototype pollution vulnerability in \u2018object-hierarchy-access\u2019 versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-fxwf-45c7-4ppr",
  "modified": "2022-01-07T16:07:29Z",
  "published": "2021-10-12T16:40:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28270"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mjpclab/object-hierarchy-access/commit/7b1aa134a8bc4a376296bcfac5c3463aef2b7572"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mjpclab/object-hierarchy-access"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28270"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28270,"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in object-hierarchy-access"
}

GHSA-G3Q2-VCJQ-RGRC

Vulnerability from github – Published: 2024-05-20 18:31 – Updated: 2024-07-05 20:59
VLAI
Summary
Blackprint @blackprint/engine Prototype Pollution issue
Details

A Prototype Pollution issue in Blackprint @blackprint/engine 0.8.12 through 0.9.1 allows an attacker to execute arbitrary code via the _utils.setDeepProperty function of engine.min.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@blackprint/engine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.12"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-20T20:54:10Z",
    "nvd_published_at": "2024-05-20T17:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "A Prototype Pollution issue in Blackprint @blackprint/engine 0.8.12 through 0.9.1 allows an attacker to execute arbitrary code via the `_utils.setDeepProperty` function of `engine.min.js`.",
  "id": "GHSA-g3q2-vcjq-rgrc",
  "modified": "2024-07-05T20:59:11Z",
  "published": "2024-05-20T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Blackprint/engine-js/commit/bd6b965b03c467e7a58ab0cb89b9172fa5e07013"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/d1eb6e1f7c6dd60d8838c3e56cab634d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Blackprint/engine-js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Blackprint @blackprint/engine Prototype Pollution issue"
}

GHSA-G3VF-47FV-8F3C

Vulnerability from github – Published: 2023-08-11 15:30 – Updated: 2023-08-16 21:39
VLAI
Summary
MrSwitch hello.js vulnerable to prototype pollution
Details

A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via hello.utils.extend function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hellojs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-26505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-11T22:08:41Z",
    "nvd_published_at": "2023-08-11T14:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via `hello.utils.extend` function.",
  "id": "GHSA-g3vf-47fv-8f3c",
  "modified": "2023-08-16T21:39:51Z",
  "published": "2023-08-11T15:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26505"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MrSwitch/hello.js/issues/634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MrSwitch/hello.js/commit/7ab50aeff2d41991f08d4ad6c0481125eea8f6b7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MrSwitch/hello.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MrSwitch hello.js vulnerable to prototype pollution"
}

GHSA-G452-6RFC-VRVX

Vulnerability from github – Published: 2021-09-01 18:31 – Updated: 2021-08-30 21:26
VLAI
Summary
Prototype Pollution in open-graph
Details

This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a proto or constructor payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "open-graph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T21:26:31Z",
    "nvd_published_at": "2021-08-08T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload.",
  "id": "GHSA-g452-6rfc-vrvx",
  "modified": "2021-08-30T21:26:46Z",
  "published": "2021-09-01T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samholmes/node-open-graph/commit/a0cef507a90adaac7dbbe9c404f09a50bdefb348"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/samholmes/node-open-graph"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-OPENGRAPH-1536747"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in open-graph"
}

GHSA-G4GQ-J4P2-J8FR

Vulnerability from github – Published: 2021-08-05 17:00 – Updated: 2024-09-03 21:14
VLAI
Summary
Remote Code Execution via Script (Python) objects under Python 3
Details

Impact

Background: The optional add-on package Products.PythonScripts adds Script (Python) to the list of content items a user can add to the Zope object database. Inside these scripts users can write Python code that is executed when rendered through the web. The code environment in these script objects is limited, it relies on the RestrictedPython package to provide a "safe" subset of Python instructions as well as the AccessControl package that defines security policies for execution in the context of a Zope application.

Recently the AccessControl package was updated to fix a remote code execution security issue. A link to the security advisory is provided in the References section below. The bug tightens the AccessControl security policies for Zope by blocking access to unsafe classes inside the Python string module.

You are only affected if the following are true:

  • You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
  • You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
  • You have installed the optional Products.PythonScripts add-on package

By default, you need to have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.

Patches

The problem has been fixed in AccessControl versions 4.3 and 5.2. Zope releases 4.6.3 and 5.3 now require these new AccessControl releases.

Workarounds

A site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in the Zope issue tracker * Email us at security@plone.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "4.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0"
            },
            {
              "fixed": "5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-02T22:57:25Z",
    "nvd_published_at": "2021-08-02T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nBackground: The optional add-on package `Products.PythonScripts` adds `Script (Python)` to the list of content items a user can add to the Zope object database. Inside these scripts users can write Python code that is executed when rendered through the web. The code environment in these script objects is limited, it relies on the `RestrictedPython` package to provide a \"safe\" subset of Python instructions as well as the `AccessControl` package that defines security policies for execution in the context of a Zope application.\n\nRecently the `AccessControl` package was updated to fix a remote code execution security issue. A link to the security advisory is provided in the References section below. The bug tightens the `AccessControl` security policies for Zope by blocking access to unsafe classes inside the Python `string` module.\n\nYou are only affected if the following are true:\n\n- You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)\n- You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3\n- You have installed the optional `Products.PythonScripts` add-on package\n\nBy default, you need to have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.\n\n### Patches\nThe problem has been fixed in `AccessControl` versions 4.3 and 5.2. Zope releases 4.6.3 and 5.3 now require these new `AccessControl` releases.\n\n### Workarounds\nA site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.\n\n### References\n* [AccessControl security advisory GHSA-qcx9-j53g-ccgf](https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [Zope issue tracker](https://github.com/zopefoundation/Zope/issues)\n* Email us at [security@plone.org](mailto:security@plone.org)\n\n",
  "id": "GHSA-g4gq-j4p2-j8fr",
  "modified": "2024-09-03T21:14:03Z",
  "published": "2021-08-05T17:00:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32811"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/869f947e586517566509e0ccdd4d99b60704cc02"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2021-368.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zopefoundation/Zope"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Remote Code Execution via Script (Python) objects under Python 3"
}

GHSA-G64Q-3VG8-8F93

Vulnerability from github – Published: 2020-09-03 15:47 – Updated: 2025-09-30 16:16
VLAI
Summary
Prototype Pollution in pez
Details

All versions of pez are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.

Recommendation

This package is deprecated and is now maintained as @hapi/pez. Please update your dependencies to use @hapi/pez.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pez"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:00:49Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "All versions of `pez` are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts\u2019 content can be set as the entire payload object\u2019s prototype. If this prototype contains data, it may bypass other validation rules which enforce access and privacy. If this prototype evaluates to null, it can cause unhandled exceptions when the request payload is accessed.\n\n\n## Recommendation\n\nThis package is deprecated and is now maintained as `@hapi/pez`. Please update your dependencies to use `@hapi/pez`.",
  "id": "GHSA-g64q-3vg8-8f93",
  "modified": "2025-09-30T16:16:58Z",
  "published": "2020-09-03T15:47:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hapijs/pez/compare/v4.1.1...v4.1.2"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1479"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in pez"
}

GHSA-G6WW-V8XP-VMWG

Vulnerability from github – Published: 2022-02-10 20:21 – Updated: 2022-04-18 21:58
VLAI
Summary
Prototype pollution in pathval
Details

A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pathval"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-20T17:32:20Z",
    "nvd_published_at": "2020-10-26T12:17:00Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.",
  "id": "GHSA-g6ww-v8xp-vmwg",
  "modified": "2022-04-18T21:58:49Z",
  "published": "2022-02-10T20:21:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7751"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chaijs/pathval/pull/58/commits/21a9046cfa0c2697cb41990f3b4316db410e6c8a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chaijs/pathval/pull/58/files"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chaijs/pathval"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chaijs/pathval/releases/tag/v1.1.1"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-PATHVAL-596926"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in pathval"
}

GHSA-G78F-549W-C354

Vulnerability from github – Published: 2021-04-13 15:23 – Updated: 2021-04-07 23:21
VLAI
Summary
Prototype Pollution in multi-ini
Details

This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "multi-ini"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-07T23:21:37Z",
    "nvd_published_at": "2020-12-22T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects the package multi-ini before 2.1.1. It is possible to pollute an object\u0027s prototype by specifying the proto object as part of an array.",
  "id": "GHSA-g78f-549w-c354",
  "modified": "2021-04-07T23:21:37Z",
  "published": "2021-04-13T15:23:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/evangelion1204/multi-ini/pull/37"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-MULTIINI-1048969"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in multi-ini"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.