Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-P5M3-27VH-52J4

Vulnerability from github – Published: 2022-10-26 12:00 – Updated: 2022-10-31 19:25
VLAI
Summary
Feather-Sequelize cleanQuery method vulnerable to Prototype Pollution
Details

Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "feathers-sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-31T19:25:00Z",
    "nvd_published_at": "2022-10-26T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.",
  "id": "GHSA-p5m3-27vh-52j4",
  "modified": "2022-10-31T19:25:00Z",
  "published": "2022-10-26T12:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29823"
    },
    {
      "type": "WEB",
      "url": "https://github.com/feathersjs-ecosystem/feathers-sequelize/commit/0b7beaa773dc313fdb27edd9ee8115064d7cf114"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2022-29823"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/DIVD-2022-00020"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/cases/DIVD-2022-00020"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/cves/CVE-2022-29823"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/feathersjs-ecosystem/feathers-sequelize"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Feather-Sequelize cleanQuery method vulnerable to Prototype Pollution"
}

GHSA-P6H4-93QP-JHCM

Vulnerability from github – Published: 2022-03-11 23:53 – Updated: 2022-04-19 18:24
VLAI
Summary
Command injection in Parse Server through prototype pollution
Details

Impact

This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.

Patches

Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment.

Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.

Workarounds

Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in index.js.

const BSON = require('bson');
 const internalDeserialize = BSON.prototype.deserialize;
 BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) => {
   if (options.constructor) {
     options = Object.assign(Object.create(null), options);
   }
   return internalDeserialize(buffer, options, ...others);
 };
 const internalDeserializeStream = BSON.prototype.deserializeStream;
 BSON.prototype.deserializeStream = (
   data,
   startIndex,
   numberOfDocuments,
   documents,
   docStartIndex,
   options = Object.create(null),
   ...others
 ) => {
   if (options.constructor) {
     options = Object.assign(Object.create(null), options);
   }
   return internalDeserializeStream(
     data,
     startIndex,
     numberOfDocuments,
     documents,
     docStartIndex,
     options,
     ...others
   );
 };

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-11T23:53:23Z",
    "nvd_published_at": "2022-03-12T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThis is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.\n\n### Patches\nUpgrade to Parse Server \u003e=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment.\n\nNote that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code `400` and Parse Error `105` (`INVALID_KEY_NAME`). By default these keywords are: `{_bsontype: \"Code\"}`, `constructor`, `__proto__`. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option `requestKeywordDenylist` to `[]` and specify your own keywords as needed.\n\n### Workarounds\nAlthough the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in `index.js`.\n\n```\nconst BSON = require(\u0027bson\u0027);\n const internalDeserialize = BSON.prototype.deserialize;\n BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) =\u003e {\n   if (options.constructor) {\n     options = Object.assign(Object.create(null), options);\n   }\n   return internalDeserialize(buffer, options, ...others);\n };\n const internalDeserializeStream = BSON.prototype.deserializeStream;\n BSON.prototype.deserializeStream = (\n   data,\n   startIndex,\n   numberOfDocuments,\n   documents,\n   docStartIndex,\n   options = Object.create(null),\n   ...others\n ) =\u003e {\n   if (options.constructor) {\n     options = Object.assign(Object.create(null), options);\n   }\n   return internalDeserializeStream(\n     data,\n     startIndex,\n     numberOfDocuments,\n     documents,\n     docStartIndex,\n     options,\n     ...others\n   );\n };\n```\n\n### References\n- Original report on [huntr.dev](https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/)\n",
  "id": "GHSA-p6h4-93qp-jhcm",
  "modified": "2022-04-19T18:24:25Z",
  "published": "2022-03-11T23:53:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24760"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Command injection in Parse Server through prototype pollution"
}

GHSA-P6JH-P7Q8-PCRG

Vulnerability from github – Published: 2021-05-06 18:26 – Updated: 2021-05-05 17:59
VLAI
Summary
Prototype Pollution in nodee-utils
Details

All versions of package nodee-utils below version 1.2.3 are vulnerable to Prototype Pollution via the deepSet function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nodee-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T17:59:12Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package nodee-utils below version 1.2.3 are vulnerable to Prototype Pollution via the deepSet function.",
  "id": "GHSA-p6jh-p7q8-pcrg",
  "modified": "2021-05-05T17:59:12Z",
  "published": "2021-05-06T18:26:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodee-apps/utils/commit/52460d936c52f03c9907bc99ac5e890970cef83c"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-NODEEUTILS-598679"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in nodee-utils"
}

GHSA-P6MC-M468-83GW

Vulnerability from github – Published: 2020-07-15 19:15 – Updated: 2025-08-12 21:43
VLAI
Summary
Prototype Pollution in lodash
Details

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "4.17.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash-es"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "4.17.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.pick"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "last_affected": "4.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.set"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "last_affected": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.setwith"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.update"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.updatewith"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "lodash-rails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "4.17.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-15T19:14:58Z",
    "nvd_published_at": "2020-07-15T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.",
  "id": "GHSA-p6mc-m468-83gw",
  "modified": "2025-08-12T21:43:38Z",
  "published": "2020-07-15T19:15:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/issues/4744"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/issues/4874"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/2884"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/712065"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/864701"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lodash/lodash"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200724-0006"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in lodash"
}

GHSA-P6W8-VQV9-2HXJ

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-12-02 21:30
VLAI
Details

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-07T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.",
  "id": "GHSA-p6w8-vqv9-2hxj",
  "modified": "2022-12-02T21:30:46Z",
  "published": "2022-05-24T16:58:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17316"
    },
    {
      "type": "WEB",
      "url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P734-XG27-8CFQ

Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2024-08-13 19:23
VLAI
Summary
Prototype pollution in izatop bunt
Details

izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute arbitrary code via injecting arbitrary properties.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@bunt/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.29.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-13T19:23:49Z",
    "nvd_published_at": "2024-08-12T13:38:24Z",
    "severity": "CRITICAL"
  },
  "details": "izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute arbitrary code via injecting arbitrary properties.",
  "id": "GHSA-p734-xg27-8cfq",
  "modified": "2024-08-13T19:23:49Z",
  "published": "2024-08-12T15:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/izatop/bunt/issues/27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/izatop/bunt/commit/c55201a8cee03e5282f99874dead988c80d31db7"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/5e9830fb180a34d65f04fafb52d2b94b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/izatop/bunt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in izatop bunt"
}

GHSA-P859-WPRC-3CJX

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 18:31
VLAI
Details

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR \u003c 91.9.1, Firefox \u003c 100.0.2, Firefox for Android \u003c 100.3.0, and Thunderbird \u003c 91.9.1.",
  "id": "GHSA-p859-wprc-3cjx",
  "modified": "2025-04-16T18:31:35Z",
  "published": "2022-12-22T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1802"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770137"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8FR-G8W4-CVV6

Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-08-21 21:30
VLAI
Details

ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T13:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-p8fr-g8w4-cvv6",
  "modified": "2024-08-21T21:30:45Z",
  "published": "2024-07-01T15:32:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39014"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/0501db31c1a6864a169e47097f26ac57"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9PC-299P-VXGP

Vulnerability from github – Published: 2020-09-04 18:00 – Updated: 2022-08-02 21:44
VLAI
Summary
yargs-parser Vulnerable to Prototype Pollution
Details

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "yargs-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "13.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "yargs-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "15.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "yargs-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "18.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "yargs-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:01:32Z",
    "nvd_published_at": "2020-03-16T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.  \nParsing the argument `--foo.__proto__.bar baz\u0027` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.",
  "id": "GHSA-p9pc-299p-vxgp",
  "modified": "2022-08-02T21:44:02Z",
  "published": "2020-09-04T18:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yargs/yargs-parser"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1500"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "yargs-parser Vulnerable to Prototype Pollution"
}

GHSA-PC47-G7GV-4GPW

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-21 15:18
VLAI
Summary
@rpldy/uploader prototype pollution
Details

A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@rpldy/uploader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-06T23:47:52Z",
    "nvd_published_at": "2025-02-05T22:15:32Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-pc47-g7gv-4gpw",
  "modified": "2025-02-21T15:18:10Z",
  "published": "2025-02-06T06:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rpldy/react-uploady/commit/386e0a80c428eb988e89fd2acf9bb0b786ac8028"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/708e518de0c3b5af7430ec774f68f315"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rpldy/react-uploady"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rpldy/react-uploady/releases/tag/v1.9.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@rpldy/uploader prototype pollution"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.