CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-MHWJ-73QX-JQXM
Vulnerability from github – Published: 2026-05-11 16:10 – Updated: 2026-05-11 16:10Summary
@theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge() function. An attacker who controls the source object can inject __proto__ keys that mutate Object.prototype, affecting all objects in the Node.js runtime.
Details
The deepMerge() function recursively merges two objects without sanitizing reserved property keys (__proto__, constructor, prototype). When a source object contains a __proto__ key, its value is assigned to target.__proto__, which JavaScript engines interpret as a write to Object.prototype.
Proof of Concept
const { deepMerge } = require('@theecryptochad/merge-guard');
const payload = JSON.parse('{"__proto__":{"isAdmin":true}}');
deepMerge({}, payload);
console.log({}.isAdmin); // true — Object.prototype is polluted
Impact
Any application using deepMerge() with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto Object.prototype, enabling privilege escalation, application logic bypass, and property injection.
Remediation
Upgrade to @theecryptochad/merge-guard >= 1.0.1, which adds an explicit blocklist:
const BLOCKED = new Set(['__proto__', 'constructor', 'prototype']);
if (BLOCKED.has(key)) continue;
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@theecryptochad/merge-guard"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T16:10:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n`@theecryptochad/merge-guard` versions prior to 1.0.1 are vulnerable to Prototype Pollution via the `deepMerge()` function. An attacker who controls the source object can inject `__proto__` keys that mutate `Object.prototype`, affecting all objects in the Node.js runtime.\n\n## Details\n\nThe `deepMerge()` function recursively merges two objects without sanitizing reserved property keys (`__proto__`, `constructor`, `prototype`). When a source object contains a `__proto__` key, its value is assigned to `target.__proto__`, which JavaScript engines interpret as a write to `Object.prototype`.\n\n## Proof of Concept\n\n```js\nconst { deepMerge } = require(\u0027@theecryptochad/merge-guard\u0027);\nconst payload = JSON.parse(\u0027{\"__proto__\":{\"isAdmin\":true}}\u0027);\ndeepMerge({}, payload);\nconsole.log({}.isAdmin); // true \u2014 Object.prototype is polluted\n```\n\n## Impact\n\nAny application using `deepMerge()` with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto `Object.prototype`, enabling privilege escalation, application logic bypass, and property injection.\n\n## Remediation\n\nUpgrade to `@theecryptochad/merge-guard \u003e= 1.0.1`, which adds an explicit blocklist:\n\n```js\nconst BLOCKED = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\nif (BLOCKED.has(key)) continue;\n```\n\n## References\n- [CWE-1321: Improper Neutralization of Special Elements in Object Keys](https://cwe.mitre.org/data/definitions/1321.html)\n- [OWASP: Prototype Pollution](https://owasp.org/www-community/attacks/Prototype_Pollution)\n- [Fix commit](https://github.com/TheeCryptoChad/merge-guard/releases/tag/v1.0.1)",
"id": "GHSA-mhwj-73qx-jqxm",
"modified": "2026-05-11T16:10:12Z",
"published": "2026-05-11T16:10:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TheeCryptoChad/merge-guard/security/advisories/GHSA-mhwj-73qx-jqxm"
},
{
"type": "WEB",
"url": "https://github.com/TheeCryptoChad/merge-guard/commit/25e4b4f2618578a656ef3cb4946a1b475f736736"
},
{
"type": "PACKAGE",
"url": "https://github.com/TheeCryptoChad/merge-guard"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function"
}
GHSA-MJ4P-GMHR-92G3
Vulnerability from github – Published: 2024-06-17 18:31 – Updated: 2024-07-05 17:26akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@akbr/update"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36578"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-17T22:30:05Z",
"nvd_published_at": "2024-06-17T16:15:15Z",
"severity": "MODERATE"
},
"details": "akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.",
"id": "GHSA-mj4p-gmhr-92g3",
"modified": "2024-07-05T17:26:43Z",
"published": "2024-06-17T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36578"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/8bc749ec2b5453d887b2f4a362a65897"
},
{
"type": "PACKAGE",
"url": "https://github.com/akbr/update"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "@akbr/update Prototype Pollution"
}
GHSA-MJ9H-QP8G-G746
Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-01 15:32chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [],
"aliases": [
"CVE-2024-39010"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T20:15:04Z",
"severity": "CRITICAL"
},
"details": "chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-mj9h-qp8g-g746",
"modified": "2024-08-01T15:32:15Z",
"published": "2024-07-30T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39010"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/af7a746df91ab5e944bd7a186816c262"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJJJ-6P43-VHHV
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-06-29 21:52All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. Note: This vulnerability derives from an incomplete fix of CVE-2020-7715
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "deep-get-set"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21231"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-29T21:52:18Z",
"nvd_published_at": "2022-06-24T20:15:00Z",
"severity": "HIGH"
},
"details": "All versions of package deep-get-set are vulnerable to Prototype Pollution via the \u0027deep\u0027 function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666)",
"id": "GHSA-mjjj-6p43-vhhv",
"modified": "2022-06-29T21:52:18Z",
"published": "2022-06-25T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21231"
},
{
"type": "PACKAGE",
"url": "https://github.com/acstll/deep-get-set"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DEEPGETSET-2342655"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in deep-get-set"
}
GHSA-MMHX-HMJR-R674
Vulnerability from github – Published: 2024-09-16 20:34 – Updated: 2024-09-16 22:37It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.
This renders dompurify unable to avoid XSS attack.
Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dompurify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "dompurify"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45801"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-16T20:34:26Z",
"nvd_published_at": "2024-09-16T19:16:11Z",
"severity": "HIGH"
},
"details": "It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.\n\nThis renders dompurify unable to avoid XSS attack.\n\nFixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).",
"id": "GHSA-mmhx-hmjr-r674",
"modified": "2024-09-16T22:37:33Z",
"published": "2024-09-16T20:34:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45801"
},
{
"type": "WEB",
"url": "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21"
},
{
"type": "WEB",
"url": "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc"
},
{
"type": "PACKAGE",
"url": "https://github.com/cure53/DOMPurify"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DOMPurify allows tampering by prototype pollution"
}
GHSA-MMJ4-777P-FPQ9
Vulnerability from github – Published: 2022-02-07 22:38 – Updated: 2023-07-13 19:05日本語
影響
v0.26.0以前のfrourioを使用している、かつvalidators/を利用している場合、ネストされたバリデータがリクエストのボディーとクエリに対して正しく働かないケースがあります。また、リクエストに対してバリデーションが効かなくなる入力があります。
パッチ
frourioをv0.26.0かそれ以降のバージョンにアップデートをお願いします。frourio を使用したプロジェクトには class-transformer と reflect-metadata の依存への追加も必要となります。
ワークアラウンド
controller側で自分でclass-transformerを使用してチェックする、vaildatorを使わない、など。
さらなる情報
このセキュリティ勧告に関する質問やコメントについては、以下の方法でお問い合わせいただけます。 * frourioにIssueを開く。
English
Impact
Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through validators/ folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)
Patches
Please update your frourio to v0.26.0 or later. You also need to install class-transformer and reflect-metadata to your project.
Workarounds
Validate objects from request with class-transformer in controllers by yourself, or prevent using validators.
For more information
If you have any questions or comments about this advisory: * Open an issue in frourio
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "frourio-express"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23624"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-07T22:38:37Z",
"nvd_published_at": "2022-02-07T23:15:00Z",
"severity": "HIGH"
},
"details": "## \u65e5\u672c\u8a9e\n\n### \u5f71\u97ff\nv0.26.0\u4ee5\u524d\u306efrourio\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3001\u304b\u3064validators/\u3092\u5229\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u30cd\u30b9\u30c8\u3055\u308c\u305f\u30d0\u30ea\u30c7\u30fc\u30bf\u304c\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30dc\u30c7\u30a3\u30fc\u3068\u30af\u30a8\u30ea\u306b\u5bfe\u3057\u3066\u6b63\u3057\u304f\u50cd\u304b\u306a\u3044\u30b1\u30fc\u30b9\u304c\u3042\u308a\u307e\u3059\u3002\u307e\u305f\u3001\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5bfe\u3057\u3066\u30d0\u30ea\u30c7\u30fc\u30b7\u30e7\u30f3\u304c\u52b9\u304b\u306a\u304f\u306a\u308b\u5165\u529b\u304c\u3042\u308a\u307e\u3059\u3002\n\n### \u30d1\u30c3\u30c1\nfrourio\u3092v0.26.0\u304b\u305d\u308c\u4ee5\u964d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3092\u304a\u9858\u3044\u3057\u307e\u3059\u3002frourio \u3092\u4f7f\u7528\u3057\u305f\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u306b\u306f `class-transformer` \u3068 `reflect-metadata` \u306e\u4f9d\u5b58\u3078\u306e\u8ffd\u52a0\u3082\u5fc5\u8981\u3068\u306a\u308a\u307e\u3059\u3002\n\n### \u30ef\u30fc\u30af\u30a2\u30e9\u30a6\u30f3\u30c9\ncontroller\u5074\u3067\u81ea\u5206\u3067class-transformer\u3092\u4f7f\u7528\u3057\u3066\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3001vaildator\u3092\u4f7f\u308f\u306a\u3044\u3001\u306a\u3069\u3002\n\n### \u3055\u3089\u306a\u308b\u60c5\u5831\n\n\u3053\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u52e7\u544a\u306b\u95a2\u3059\u308b\u8cea\u554f\u3084\u30b3\u30e1\u30f3\u30c8\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u4e0b\u306e\u65b9\u6cd5\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u3044\u305f\u3060\u3051\u307e\u3059\u3002\n* [frourio](https://github.com/frouriojs/frourio)\u306bIssue\u3092\u958b\u304f\u3002\n\n## English\n\n### Impact\nFrourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)\n\n### Patches\nPlease update your frourio to v0.26.0 or later. You also need to install `class-transformer` and `reflect-metadata` to your project.\n\n### Workarounds\nValidate objects from request with class-transformer in controllers by yourself, or prevent using validators.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [frourio](https://github.com/frouriojs/frourio)\n",
"id": "GHSA-mmj4-777p-fpq9",
"modified": "2023-07-13T19:05:32Z",
"published": "2022-02-07T22:38:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/frouriojs/frourio-express/security/advisories/GHSA-mmj4-777p-fpq9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23624"
},
{
"type": "WEB",
"url": "https://github.com/frouriojs/frourio-express/commit/73ded5c6f9f1c126c0cb2d05c0505e9e4db142d2"
},
{
"type": "PACKAGE",
"url": "https://github.com/frouriojs/frourio-express"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Validation bypass in frourio-express"
}
GHSA-MQGV-67VX-G4M5
Vulnerability from github – Published: 2022-02-09 22:45 – Updated: 2023-09-05 22:43All versions of package js-data prior to 3.0.10 are vulnerable to Prototype Pollution via the deepFillIn function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "js-data"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28442"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-08T21:12:54Z",
"nvd_published_at": "2020-12-15T08:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package js-data prior to 3.0.10 are vulnerable to Prototype Pollution via the `deepFillIn` function.",
"id": "GHSA-mqgv-67vx-g4m5",
"modified": "2023-09-05T22:43:18Z",
"published": "2022-02-09T22:45:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28442"
},
{
"type": "WEB",
"url": "https://github.com/js-data/js-data/pull/574"
},
{
"type": "WEB",
"url": "https://github.com/js-data/js-data/commit/2d9eed5d3e9710d7e7fecc6f6437c39fe73a4097"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSDATA-1023655"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in js-data"
}
GHSA-MW4X-G2X8-QCVF
Vulnerability from github – Published: 2022-12-25 18:30 – Updated: 2023-01-09 19:53A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tree-kit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4278"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-09T19:53:50Z",
"nvd_published_at": "2022-12-25T16:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability.",
"id": "GHSA-mw4x-g2x8-qcvf",
"modified": "2023-01-09T19:53:50Z",
"published": "2022-12-25T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4278"
},
{
"type": "WEB",
"url": "https://github.com/cronvel/tree-kit/commit/a63f559c50d70e8cb2eaae670dec25d1dbc4afcd"
},
{
"type": "PACKAGE",
"url": "https://github.com/cronvel/tree-kit"
},
{
"type": "WEB",
"url": "https://github.com/cronvel/tree-kit/releases/tag/v0.7.0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.216765"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216765"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "tree-kit vulnerable to Prototype Pollution"
}
GHSA-MWQ8-FJPF-C2GR
Vulnerability from github – Published: 2023-03-30 20:19 – Updated: 2023-03-30 20:19Impact
In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.
(This is part 2, where CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
Patches
The issue has been patched in matrix-js-sdk 24.0.0.
Workarounds
None.
References
- Release blog post
- The advisory GHSA-rfv9-x7hh-xc32 (CVE-2022-36059) refers to an initial set of vulnerable locations discovered and patched in matrix-js-sdk 19.4.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "matrix-js-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28427"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-30T20:19:18Z",
"nvd_published_at": "2023-03-28T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.\n\n(This is part 2, where [CVE-2022-36059](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059) / [GHSA-rfv9-x7hh-xc32](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32) is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)\n\n### Patches\nThe issue has been patched in matrix-js-sdk 24.0.0.\n\n### Workarounds\nNone.\n\n### References\n\n- [Release blog post](https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0)\n- The advisory [GHSA-rfv9-x7hh-xc32](https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32) ([CVE-2022-36059](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059)) refers to an initial set of vulnerable locations discovered and patched in matrix-js-sdk 19.4.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.\n\n### For more information\nIf you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).\n",
"id": "GHSA-mwq8-fjpf-c2gr",
"modified": "2023-03-30T20:19:18Z",
"published": "2023-03-30T20:19:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28427"
},
{
"type": "PACKAGE",
"url": "https://github.com/matrix-org/matrix-js-sdk"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html"
},
{
"type": "WEB",
"url": "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-36"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5392"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in matrix-js-sdk (part 2)"
}
GHSA-MWV9-GP5H-FRR4
Vulnerability from github – Published: 2026-03-12 16:38 – Updated: 2026-06-26 20:30In some circumstances, devalue.parse and devalue.unflatten could emit objects with __proto__ own properties. This in and of itself is not a security vulnerability (and is possible with, for example, JSON.parse as well), but it can result in prototype injection if downstream code handles it incorrectly:
const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "devalue"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "5.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T16:38:15Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "In some circumstances, `devalue.parse` and `devalue.unflatten` could emit objects with `__proto__` own properties. This in and of itself is not a security vulnerability (and is possible with, for example, `JSON.parse` as well), but it can result in prototype injection if _downstream_ code handles it incorrectly:\n\n```ts\nconst result = devalue.parse(/* input creating an object with a __proto__ property */);\nconst target = {};\nObject.assign(target, result); // target\u0027s prototype is now polluted\n```",
"id": "GHSA-mwv9-gp5h-frr4",
"modified": "2026-06-26T20:30:20Z",
"published": "2026-03-12T16:38:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-mwv9-gp5h-frr4"
},
{
"type": "WEB",
"url": "https://github.com/sveltejs/devalue/commit/87c1f3ce3759765a061cfe34843ecc4b0711ba8d"
},
{
"type": "PACKAGE",
"url": "https://github.com/sveltejs/devalue"
},
{
"type": "WEB",
"url": "https://github.com/sveltejs/devalue/releases/tag/v5.6.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Sveltejs devalue\u0027s `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.