CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-M6MG-JVJF-W44X
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-08-04 21:25This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "conf-cfg-ini"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28441"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-04T21:25:33Z",
"nvd_published_at": "2022-07-25T14:15:00Z",
"severity": "CRITICAL"
},
"details": "This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.",
"id": "GHSA-m6mg-jvjf-w44x",
"modified": "2022-08-04T21:25:33Z",
"published": "2022-07-26T00:01:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28441"
},
{
"type": "WEB",
"url": "https://github.com/loge5/conf-cfg-ini/commit/3a88a6c52c31eb6c0f033369eed40aa168a636ea"
},
{
"type": "WEB",
"url": "https://github.com/loge5/conf-cfg-ini/commit/ecd878f8f7398e765739e989c7fe7cc052308947"
},
{
"type": "PACKAGE",
"url": "https://github.com/loge5/conf-cfg-ini"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-CONFCFGINI-1048973"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2"
}
GHSA-M7J4-FHG6-XF5V
Vulnerability from github – Published: 2020-12-17 21:00 – Updated: 2024-06-21 21:33All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "datatables.net"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28458"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-12-17T18:27:07Z",
"nvd_published_at": "2020-12-16T11:15:00Z",
"severity": "HIGH"
},
"details": "All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.",
"id": "GHSA-m7j4-fhg6-xf5v",
"modified": "2024-06-21T21:33:49Z",
"published": "2020-12-17T21:00:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28458"
},
{
"type": "WEB",
"url": "https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03"
},
{
"type": "PACKAGE",
"url": "https://github.com/DataTables/DataTablesSrc"
},
{
"type": "WEB",
"url": "https://github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240621-0006"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1051961"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1051962"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "datatables.net vulnerable to Prototype Pollution due to incomplete fix"
}
GHSA-M7MV-M566-78J6
Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-20 00:00A vulnerability found in postgresql. On this security issue an attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there's no need to modify individual extensions.
{
"affected": [],
"aliases": [
"CVE-2022-2625"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-913",
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-18T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability found in postgresql. On this security issue an attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there\u0027s no need to modify individual extensions.",
"id": "GHSA-m7mv-m566-78j6",
"modified": "2022-08-20T00:00:39Z",
"published": "2022-08-19T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-2625"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113825"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202211-04"
},
{
"type": "WEB",
"url": "https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M7RG-8WVQ-846V
Vulnerability from github – Published: 2021-06-07 21:49 – Updated: 2023-08-08 19:57Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nestie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25947"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-04T18:32:41Z",
"nvd_published_at": "2021-06-03T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u0027nestie\u0027 versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-m7rg-8wvq-846v",
"modified": "2023-08-08T19:57:34Z",
"published": "2021-06-07T21:49:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25947"
},
{
"type": "WEB",
"url": "https://github.com/lukeed/nestie/commit/bc80d5898d1e5e8a3d325d355eda0c325c8dcfc2"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25947"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in nestie"
}
GHSA-M8GW-HJPR-RJV7
Vulnerability from github – Published: 2022-01-05 15:01 – Updated: 2022-01-04 17:43All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dojo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.16.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23450"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-04T17:43:26Z",
"nvd_published_at": "2021-12-17T20:15:00Z",
"severity": "HIGH"
},
"details": "All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.",
"id": "GHSA-m8gw-hjpr-rjv7",
"modified": "2022-01-04T17:43:26Z",
"published": "2022-01-05T15:01:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23450"
},
{
"type": "PACKAGE",
"url": "https://github.com/dojo/dojo"
},
{
"type": "WEB",
"url": "https://github.com/dojo/dojo/blob/4c39c14349408fc8274e19b399ffc660512ed07c/_base/lang.js%23L172"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00030.html"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2313036"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2313035"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBDOJO-2313034"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2313033"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DOJO-1535223"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in dojo"
}
GHSA-M929-RG27-GJ99
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-10-20 15:32Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-r8c2-2qwq-94p6. This link is maintained to preserve external references.
Original Description
rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. A Prototype Pollution vulnerability in the utility.set function of rollbar v2.26.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "rollbar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.26.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-26T20:08:11Z",
"nvd_published_at": "2025-09-24T20:15:32Z",
"severity": "LOW"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-r8c2-2qwq-94p6. This link is maintained to preserve external references.\n\n### Original Description\nrollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. A Prototype Pollution vulnerability in the utility.set function of rollbar v2.26.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
"id": "GHSA-m929-rg27-gj99",
"modified": "2025-10-20T15:32:57Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57325"
},
{
"type": "WEB",
"url": "https://github.com/rollbar/rollbar.js/issues/1333"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/rollbar%402.26.4/index.js"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57325"
},
{
"type": "PACKAGE",
"url": "https://github.com/rollbar/rollbar.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: rollbar vulnerable to prototype pollution",
"withdrawn": "2025-10-20T15:31:48Z"
}
GHSA-M939-VRFP-9V8P
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-08-06 09:35This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "js-ini"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28461"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-06T09:35:43Z",
"nvd_published_at": "2022-07-25T14:15:00Z",
"severity": "CRITICAL"
},
"details": "This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with `parse` , they will pollute the prototype on the application. This can be exploited further depending on the context.",
"id": "GHSA-m939-vrfp-9v8p",
"modified": "2022-08-06T09:35:43Z",
"published": "2022-07-26T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28461"
},
{
"type": "WEB",
"url": "https://github.com/Sdju/js-ini/commit/fa17efb7e3a7c9464508a254838d4c231784931e"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sdju/js-ini"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-JSINI-1048970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`"
}
GHSA-MH29-5H37-FV8M
Vulnerability from github – Published: 2025-11-14 14:29 – Updated: 2026-01-31 03:32Impact
In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.
Patches
Problem is patched in js-yaml 4.1.1 and 3.14.2.
Workarounds
You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).
References
https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "js-yaml"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "js-yaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64718"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-14T14:29:48Z",
"nvd_published_at": "2025-11-13T16:15:57Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIn js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it\u0027s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.\n\n### Patches\n\nProblem is patched in js-yaml 4.1.1 and 3.14.2.\n\n### Workarounds\n\nYou can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).\n\n### References\n\nhttps://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html",
"id": "GHSA-mh29-5h37-fv8m",
"modified": "2026-01-31T03:32:42Z",
"published": "2025-11-14T14:29:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64718"
},
{
"type": "WEB",
"url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876"
},
{
"type": "WEB",
"url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"
},
{
"type": "WEB",
"url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodeca/js-yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "js-yaml has prototype pollution in merge (\u003c\u003c)"
}
GHSA-MH82-55CM-6GFH
Vulnerability from github – Published: 2021-06-08 23:16 – Updated: 2022-06-29 20:42Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "js-extend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25945"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-27T23:04:49Z",
"nvd_published_at": "2021-05-26T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u0027js-extend\u0027 versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-mh82-55cm-6gfh",
"modified": "2022-06-29T20:42:39Z",
"published": "2021-06-08T23:16:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25945"
},
{
"type": "PACKAGE",
"url": "https://github.com/vmattos/js-extend"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25945"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution vulnerability in js-extend"
}
GHSA-MH8J-9JVH-GJF6
Vulnerability from github – Published: 2023-12-08 06:30 – Updated: 2023-12-08 15:49All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
User controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.
Workaround
By using a denylist of dangerous attributes, this weakness can be eliminated.
Add the following line in the Util.extend function:
js js if (["proto", "constructor", "prototype"].includes(name)) continue
js // src/mock/handler.js Util.extend = function extend() { var target = arguments[0] || {}, i = 1, length = arguments.length, options, name, src, copy, clone
if (length === 1) {
target = this
i = 0
}
for (; i < length; i++) {
options = arguments[i]
if (!options) continue
for (name in options) {
if (["__proto__", "constructor", "prototype"].includes(name)) continue
src = target[name]
copy = options[name]
if (target === copy) continue
if (copy === undefined) continue
if (Util.isArray(copy) || Util.isObject(copy)) {
if (Util.isArray(copy)) clone = src && Util.isArray(src) ? src : []
if (Util.isObject(copy)) clone = src && Util.isObject(src) ? src : {}
target[name] = Util.extend(clone, copy)
} else {
target[name] = copy
}
}
}
return target
}
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mockjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26158"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-08T15:49:13Z",
"nvd_published_at": "2023-12-08T05:15:07Z",
"severity": "HIGH"
},
"details": "All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).\n\nUser controlled inputs inside the extend() method of the Mock.Handler, Mock.Random, Mock.RE.Handler or Mock.Util, will allow an attacker to exploit this vulnerability.\n\n Workaround\n\nBy using a denylist of dangerous attributes, this weakness can be eliminated.\n\nAdd the following line in the Util.extend function:\n\njs\njs if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\n\n\njs\n// src/mock/handler.js\nUtil.extend = function extend() {\n var target = arguments[0] || {},\n i = 1,\n length = arguments.length,\n options, name, src, copy, clone\n\n if (length === 1) {\n target = this\n i = 0\n }\n\n for (; i \u003c length; i++) {\n options = arguments[i]\n if (!options) continue\n\n for (name in options) {\n if ([\"__proto__\", \"constructor\", \"prototype\"].includes(name)) continue\n src = target[name]\n copy = options[name]\n\n if (target === copy) continue\n if (copy === undefined) continue\n\n if (Util.isArray(copy) || Util.isObject(copy)) {\n if (Util.isArray(copy)) clone = src \u0026\u0026 Util.isArray(src) ? src : []\n if (Util.isObject(copy)) clone = src \u0026\u0026 Util.isObject(src) ? src : {}\n\n target[name] = Util.extend(clone, copy)\n } else {\n target[name] = copy\n }\n }\n }\n\n return target\n }\n",
"id": "GHSA-mh8j-9jvh-gjf6",
"modified": "2023-12-08T15:49:13Z",
"published": "2023-12-08T06:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26158"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuysoft/Mock"
},
{
"type": "WEB",
"url": "https://github.com/nuysoft/Mock/blob/00ce04b92eb464e664a4438430903f2de96efb47/dist/mock.js#L721-L755"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-MOCKJS-6051365"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "mockjs vulnerable to Prototype Pollution via the Util.extend function"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.