Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-MHWJ-73QX-JQXM

Vulnerability from github – Published: 2026-05-11 16:10 – Updated: 2026-05-11 16:10
VLAI
Summary
@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function
Details

Summary

@theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge() function. An attacker who controls the source object can inject __proto__ keys that mutate Object.prototype, affecting all objects in the Node.js runtime.

Details

The deepMerge() function recursively merges two objects without sanitizing reserved property keys (__proto__, constructor, prototype). When a source object contains a __proto__ key, its value is assigned to target.__proto__, which JavaScript engines interpret as a write to Object.prototype.

Proof of Concept

const { deepMerge } = require('@theecryptochad/merge-guard');
const payload = JSON.parse('{"__proto__":{"isAdmin":true}}');
deepMerge({}, payload);
console.log({}.isAdmin); // true — Object.prototype is polluted

Impact

Any application using deepMerge() with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto Object.prototype, enabling privilege escalation, application logic bypass, and property injection.

Remediation

Upgrade to @theecryptochad/merge-guard >= 1.0.1, which adds an explicit blocklist:

const BLOCKED = new Set(['__proto__', 'constructor', 'prototype']);
if (BLOCKED.has(key)) continue;

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@theecryptochad/merge-guard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:10:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`@theecryptochad/merge-guard` versions prior to 1.0.1 are vulnerable to Prototype Pollution via the `deepMerge()` function. An attacker who controls the source object can inject `__proto__` keys that mutate `Object.prototype`, affecting all objects in the Node.js runtime.\n\n## Details\n\nThe `deepMerge()` function recursively merges two objects without sanitizing reserved property keys (`__proto__`, `constructor`, `prototype`). When a source object contains a `__proto__` key, its value is assigned to `target.__proto__`, which JavaScript engines interpret as a write to `Object.prototype`.\n\n## Proof of Concept\n\n```js\nconst { deepMerge } = require(\u0027@theecryptochad/merge-guard\u0027);\nconst payload = JSON.parse(\u0027{\"__proto__\":{\"isAdmin\":true}}\u0027);\ndeepMerge({}, payload);\nconsole.log({}.isAdmin); // true \u2014 Object.prototype is polluted\n```\n\n## Impact\n\nAny application using `deepMerge()` with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto `Object.prototype`, enabling privilege escalation, application logic bypass, and property injection.\n\n## Remediation\n\nUpgrade to `@theecryptochad/merge-guard \u003e= 1.0.1`, which adds an explicit blocklist:\n\n```js\nconst BLOCKED = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\nif (BLOCKED.has(key)) continue;\n```\n\n## References\n- [CWE-1321: Improper Neutralization of Special Elements in Object Keys](https://cwe.mitre.org/data/definitions/1321.html)\n- [OWASP: Prototype Pollution](https://owasp.org/www-community/attacks/Prototype_Pollution)\n- [Fix commit](https://github.com/TheeCryptoChad/merge-guard/releases/tag/v1.0.1)",
  "id": "GHSA-mhwj-73qx-jqxm",
  "modified": "2026-05-11T16:10:12Z",
  "published": "2026-05-11T16:10:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TheeCryptoChad/merge-guard/security/advisories/GHSA-mhwj-73qx-jqxm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TheeCryptoChad/merge-guard/commit/25e4b4f2618578a656ef3cb4946a1b475f736736"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TheeCryptoChad/merge-guard"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function"
}

GHSA-MJ4P-GMHR-92G3

Vulnerability from github – Published: 2024-06-17 18:31 – Updated: 2024-07-05 17:26
VLAI
Summary
@akbr/update Prototype Pollution
Details

akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@akbr/update"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T22:30:05Z",
    "nvd_published_at": "2024-06-17T16:15:15Z",
    "severity": "MODERATE"
  },
  "details": "akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.",
  "id": "GHSA-mj4p-gmhr-92g3",
  "modified": "2024-07-05T17:26:43Z",
  "published": "2024-06-17T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36578"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/8bc749ec2b5453d887b2f4a362a65897"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/akbr/update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@akbr/update Prototype Pollution"
}

GHSA-MJ9H-QP8G-G746

Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-01 15:32
VLAI
Details

chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T20:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-mj9h-qp8g-g746",
  "modified": "2024-08-01T15:32:15Z",
  "published": "2024-07-30T21:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39010"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/af7a746df91ab5e944bd7a186816c262"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJJJ-6P43-VHHV

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-06-29 21:52
VLAI
Summary
Prototype Pollution in deep-get-set
Details

All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. Note: This vulnerability derives from an incomplete fix of CVE-2020-7715

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deep-get-set"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T21:52:18Z",
    "nvd_published_at": "2022-06-24T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of package deep-get-set are vulnerable to Prototype Pollution via the \u0027deep\u0027 function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666)",
  "id": "GHSA-mjjj-6p43-vhhv",
  "modified": "2022-06-29T21:52:18Z",
  "published": "2022-06-25T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21231"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/acstll/deep-get-set"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DEEPGETSET-2342655"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in deep-get-set"
}

GHSA-MMHX-HMJR-R674

Vulnerability from github – Published: 2024-09-16 20:34 – Updated: 2024-09-16 22:37
VLAI
Summary
DOMPurify allows tampering by prototype pollution
Details

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dompurify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "dompurify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-16T20:34:26Z",
    "nvd_published_at": "2024-09-16T19:16:11Z",
    "severity": "HIGH"
  },
  "details": "It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.\n\nThis renders dompurify unable to avoid XSS attack.\n\nFixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).",
  "id": "GHSA-mmhx-hmjr-r674",
  "modified": "2024-09-16T22:37:33Z",
  "published": "2024-09-16T20:34:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45801"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cure53/DOMPurify"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DOMPurify allows tampering by prototype pollution"
}

GHSA-MMJ4-777P-FPQ9

Vulnerability from github – Published: 2022-02-07 22:38 – Updated: 2023-07-13 19:05
VLAI
Summary
Validation bypass in frourio-express
Details

日本語

影響

v0.26.0以前のfrourioを使用している、かつvalidators/を利用している場合、ネストされたバリデータがリクエストのボディーとクエリに対して正しく働かないケースがあります。また、リクエストに対してバリデーションが効かなくなる入力があります。

パッチ

frourioをv0.26.0かそれ以降のバージョンにアップデートをお願いします。frourio を使用したプロジェクトには class-transformerreflect-metadata の依存への追加も必要となります。

ワークアラウンド

controller側で自分でclass-transformerを使用してチェックする、vaildatorを使わない、など。

さらなる情報

このセキュリティ勧告に関する質問やコメントについては、以下の方法でお問い合わせいただけます。 * frourioにIssueを開く。

English

Impact

Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through validators/ folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)

Patches

Please update your frourio to v0.26.0 or later. You also need to install class-transformer and reflect-metadata to your project.

Workarounds

Validate objects from request with class-transformer in controllers by yourself, or prevent using validators.

For more information

If you have any questions or comments about this advisory: * Open an issue in frourio

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "frourio-express"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-07T22:38:37Z",
    "nvd_published_at": "2022-02-07T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "## \u65e5\u672c\u8a9e\n\n### \u5f71\u97ff\nv0.26.0\u4ee5\u524d\u306efrourio\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3001\u304b\u3064validators/\u3092\u5229\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u30cd\u30b9\u30c8\u3055\u308c\u305f\u30d0\u30ea\u30c7\u30fc\u30bf\u304c\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30dc\u30c7\u30a3\u30fc\u3068\u30af\u30a8\u30ea\u306b\u5bfe\u3057\u3066\u6b63\u3057\u304f\u50cd\u304b\u306a\u3044\u30b1\u30fc\u30b9\u304c\u3042\u308a\u307e\u3059\u3002\u307e\u305f\u3001\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5bfe\u3057\u3066\u30d0\u30ea\u30c7\u30fc\u30b7\u30e7\u30f3\u304c\u52b9\u304b\u306a\u304f\u306a\u308b\u5165\u529b\u304c\u3042\u308a\u307e\u3059\u3002\n\n### \u30d1\u30c3\u30c1\nfrourio\u3092v0.26.0\u304b\u305d\u308c\u4ee5\u964d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3092\u304a\u9858\u3044\u3057\u307e\u3059\u3002frourio \u3092\u4f7f\u7528\u3057\u305f\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u306b\u306f `class-transformer` \u3068 `reflect-metadata` \u306e\u4f9d\u5b58\u3078\u306e\u8ffd\u52a0\u3082\u5fc5\u8981\u3068\u306a\u308a\u307e\u3059\u3002\n\n### \u30ef\u30fc\u30af\u30a2\u30e9\u30a6\u30f3\u30c9\ncontroller\u5074\u3067\u81ea\u5206\u3067class-transformer\u3092\u4f7f\u7528\u3057\u3066\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3001vaildator\u3092\u4f7f\u308f\u306a\u3044\u3001\u306a\u3069\u3002\n\n### \u3055\u3089\u306a\u308b\u60c5\u5831\n\n\u3053\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u52e7\u544a\u306b\u95a2\u3059\u308b\u8cea\u554f\u3084\u30b3\u30e1\u30f3\u30c8\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u4e0b\u306e\u65b9\u6cd5\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u3044\u305f\u3060\u3051\u307e\u3059\u3002\n* [frourio](https://github.com/frouriojs/frourio)\u306bIssue\u3092\u958b\u304f\u3002\n\n## English\n\n### Impact\nFrourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)\n\n### Patches\nPlease update your frourio to v0.26.0 or later. You also need to install `class-transformer` and `reflect-metadata` to your project.\n\n### Workarounds\nValidate objects from request with class-transformer in controllers by yourself, or prevent using validators.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [frourio](https://github.com/frouriojs/frourio)\n",
  "id": "GHSA-mmj4-777p-fpq9",
  "modified": "2023-07-13T19:05:32Z",
  "published": "2022-02-07T22:38:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frouriojs/frourio-express/security/advisories/GHSA-mmj4-777p-fpq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23624"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frouriojs/frourio-express/commit/73ded5c6f9f1c126c0cb2d05c0505e9e4db142d2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frouriojs/frourio-express"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Validation bypass in frourio-express"
}

GHSA-MQGV-67VX-G4M5

Vulnerability from github – Published: 2022-02-09 22:45 – Updated: 2023-09-05 22:43
VLAI
Summary
Prototype Pollution in js-data
Details

All versions of package js-data prior to 3.0.10 are vulnerable to Prototype Pollution via the deepFillIn function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-data"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-08T21:12:54Z",
    "nvd_published_at": "2020-12-15T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package js-data prior to 3.0.10 are vulnerable to Prototype Pollution via the `deepFillIn` function.",
  "id": "GHSA-mqgv-67vx-g4m5",
  "modified": "2023-09-05T22:43:18Z",
  "published": "2022-02-09T22:45:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28442"
    },
    {
      "type": "WEB",
      "url": "https://github.com/js-data/js-data/pull/574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/js-data/js-data/commit/2d9eed5d3e9710d7e7fecc6f6437c39fe73a4097"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSDATA-1023655"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in js-data"
}

GHSA-MW4X-G2X8-QCVF

Vulnerability from github – Published: 2022-12-25 18:30 – Updated: 2023-01-09 19:53
VLAI
Summary
tree-kit vulnerable to Prototype Pollution
Details

A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tree-kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T19:53:50Z",
    "nvd_published_at": "2022-12-25T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability.",
  "id": "GHSA-mw4x-g2x8-qcvf",
  "modified": "2023-01-09T19:53:50Z",
  "published": "2022-12-25T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4278"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cronvel/tree-kit/commit/a63f559c50d70e8cb2eaae670dec25d1dbc4afcd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cronvel/tree-kit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cronvel/tree-kit/releases/tag/v0.7.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.216765"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.216765"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "tree-kit vulnerable to Prototype Pollution"
}

GHSA-MWQ8-FJPF-C2GR

Vulnerability from github – Published: 2023-03-30 20:19 – Updated: 2023-03-30 20:19
VLAI
Summary
Prototype pollution in matrix-js-sdk (part 2)
Details

Impact

In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.

(This is part 2, where CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)

Patches

The issue has been patched in matrix-js-sdk 24.0.0.

Workarounds

None.

References

  • Release blog post
  • The advisory GHSA-rfv9-x7hh-xc32 (CVE-2022-36059) refers to an initial set of vulnerable locations discovered and patched in matrix-js-sdk 19.4.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "matrix-js-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-30T20:19:18Z",
    "nvd_published_at": "2023-03-28T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.\n\n(This is part 2, where [CVE-2022-36059](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059) / [GHSA-rfv9-x7hh-xc32](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32) is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)\n\n### Patches\nThe issue has been patched in matrix-js-sdk 24.0.0.\n\n### Workarounds\nNone.\n\n### References\n\n- [Release blog post](https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0)\n- The advisory [GHSA-rfv9-x7hh-xc32](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32) ([CVE-2022-36059](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059)) refers to an initial set of vulnerable locations discovered and patched in matrix-js-sdk 19.4.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.\n\n### For more information\nIf you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).\n",
  "id": "GHSA-mwq8-fjpf-c2gr",
  "modified": "2023-03-30T20:19:18Z",
  "published": "2023-03-30T20:19:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28427"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/matrix-js-sdk"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-36"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5392"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in matrix-js-sdk (part 2)"
}

GHSA-MWV9-GP5H-FRR4

Vulnerability from github – Published: 2026-03-12 16:38 – Updated: 2026-06-26 20:30
VLAI
Summary
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties
Details

In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:

const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "devalue"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T16:38:15Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "In some circumstances, `devalue.parse` and `devalue.unflatten` could emit objects with `__proto__` own properties. This in and of itself is not a security vulnerability (and is possible with, for example, `JSON.parse` as well), but it can result in prototype injection if _downstream_ code handles it incorrectly:\n\n```ts\nconst result = devalue.parse(/* input creating an object with a __proto__ property */);\nconst target = {};\nObject.assign(target, result); // target\u0027s prototype is now polluted\n```",
  "id": "GHSA-mwv9-gp5h-frr4",
  "modified": "2026-06-26T20:30:20Z",
  "published": "2026-03-12T16:38:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-mwv9-gp5h-frr4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/commit/87c1f3ce3759765a061cfe34843ecc4b0711ba8d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/devalue"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/releases/tag/v5.6.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sveltejs devalue\u0027s `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.