CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-P5M3-27VH-52J4
Vulnerability from github – Published: 2022-10-26 12:00 – Updated: 2022-10-31 19:25Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "feathers-sequelize"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29823"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-31T19:25:00Z",
"nvd_published_at": "2022-10-26T10:15:00Z",
"severity": "CRITICAL"
},
"details": "Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.",
"id": "GHSA-p5m3-27vh-52j4",
"modified": "2022-10-31T19:25:00Z",
"published": "2022-10-26T12:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29823"
},
{
"type": "WEB",
"url": "https://github.com/feathersjs-ecosystem/feathers-sequelize/commit/0b7beaa773dc313fdb27edd9ee8115064d7cf114"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2022-29823"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/cases/DIVD-2022-00020"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/cves/CVE-2022-29823"
},
{
"type": "PACKAGE",
"url": "https://github.com/feathersjs-ecosystem/feathers-sequelize"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Feather-Sequelize cleanQuery method vulnerable to Prototype Pollution"
}
GHSA-P6H4-93QP-JHCM
Vulnerability from github – Published: 2022-03-11 23:53 – Updated: 2022-04-19 18:24Impact
This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.
Patches
Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment.
Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.
Workarounds
Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in index.js.
const BSON = require('bson');
const internalDeserialize = BSON.prototype.deserialize;
BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) => {
if (options.constructor) {
options = Object.assign(Object.create(null), options);
}
return internalDeserialize(buffer, options, ...others);
};
const internalDeserializeStream = BSON.prototype.deserializeStream;
BSON.prototype.deserializeStream = (
data,
startIndex,
numberOfDocuments,
documents,
docStartIndex,
options = Object.create(null),
...others
) => {
if (options.constructor) {
options = Object.assign(Object.create(null), options);
}
return internalDeserializeStream(
data,
startIndex,
numberOfDocuments,
documents,
docStartIndex,
options,
...others
);
};
References
- Original report on huntr.dev
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.10.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24760"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-11T23:53:23Z",
"nvd_published_at": "2022-03-12T00:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nThis is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.\n\n### Patches\nUpgrade to Parse Server \u003e=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment.\n\nNote that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code `400` and Parse Error `105` (`INVALID_KEY_NAME`). By default these keywords are: `{_bsontype: \"Code\"}`, `constructor`, `__proto__`. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option `requestKeywordDenylist` to `[]` and specify your own keywords as needed.\n\n### Workarounds\nAlthough the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in `index.js`.\n\n```\nconst BSON = require(\u0027bson\u0027);\n const internalDeserialize = BSON.prototype.deserialize;\n BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) =\u003e {\n if (options.constructor) {\n options = Object.assign(Object.create(null), options);\n }\n return internalDeserialize(buffer, options, ...others);\n };\n const internalDeserializeStream = BSON.prototype.deserializeStream;\n BSON.prototype.deserializeStream = (\n data,\n startIndex,\n numberOfDocuments,\n documents,\n docStartIndex,\n options = Object.create(null),\n ...others\n ) =\u003e {\n if (options.constructor) {\n options = Object.assign(Object.create(null), options);\n }\n return internalDeserializeStream(\n data,\n startIndex,\n numberOfDocuments,\n documents,\n docStartIndex,\n options,\n ...others\n );\n };\n```\n\n### References\n- Original report on [huntr.dev](https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/)\n",
"id": "GHSA-p6h4-93qp-jhcm",
"modified": "2022-04-19T18:24:25Z",
"published": "2022-03-11T23:53:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24760"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Command injection in Parse Server through prototype pollution"
}
GHSA-P6JH-P7Q8-PCRG
Vulnerability from github – Published: 2021-05-06 18:26 – Updated: 2021-05-05 17:59All versions of package nodee-utils below version 1.2.3 are vulnerable to Prototype Pollution via the deepSet function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nodee-utils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7722"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T17:59:12Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package nodee-utils below version 1.2.3 are vulnerable to Prototype Pollution via the deepSet function.",
"id": "GHSA-p6jh-p7q8-pcrg",
"modified": "2021-05-05T17:59:12Z",
"published": "2021-05-06T18:26:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7722"
},
{
"type": "WEB",
"url": "https://github.com/nodee-apps/utils/commit/52460d936c52f03c9907bc99ac5e890970cef83c"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-NODEEUTILS-598679"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in nodee-utils"
}
GHSA-P6MC-M468-83GW
Vulnerability from github – Published: 2020-07-15 19:15 – Updated: 2025-08-12 21:43Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "lodash"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "4.17.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash-es"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "4.17.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.pick"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"last_affected": "4.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.set"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"last_affected": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.setwith"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.update"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.updatewith"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "lodash-rails"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "4.17.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8203"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-15T19:14:58Z",
"nvd_published_at": "2020-07-15T17:15:00Z",
"severity": "HIGH"
},
"details": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.",
"id": "GHSA-p6mc-m468-83gw",
"modified": "2025-08-12T21:43:38Z",
"published": "2020-07-15T19:15:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/issues/4744"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/issues/4874"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/2884"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/712065"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/864701"
},
{
"type": "PACKAGE",
"url": "https://github.com/lodash/lodash"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/wiki/Changelog#v41719"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200724-0006"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in lodash"
}
GHSA-P6W8-VQV9-2HXJ
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-12-02 21:30SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.
{
"affected": [],
"aliases": [
"CVE-2019-17316"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-07T15:15:00Z",
"severity": "MODERATE"
},
"details": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.",
"id": "GHSA-p6w8-vqv9-2hxj",
"modified": "2022-12-02T21:30:46Z",
"published": "2022-05-24T16:58:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17316"
},
{
"type": "WEB",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P734-XG27-8CFQ
Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2024-08-13 19:23izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute arbitrary code via injecting arbitrary properties.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@bunt/app"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.29.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38989"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-13T19:23:49Z",
"nvd_published_at": "2024-08-12T13:38:24Z",
"severity": "CRITICAL"
},
"details": "izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute arbitrary code via injecting arbitrary properties.",
"id": "GHSA-p734-xg27-8cfq",
"modified": "2024-08-13T19:23:49Z",
"published": "2024-08-12T15:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38989"
},
{
"type": "WEB",
"url": "https://github.com/izatop/bunt/issues/27"
},
{
"type": "WEB",
"url": "https://github.com/izatop/bunt/commit/c55201a8cee03e5282f99874dead988c80d31db7"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/5e9830fb180a34d65f04fafb52d2b94b"
},
{
"type": "PACKAGE",
"url": "https://github.com/izatop/bunt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in izatop bunt"
}
GHSA-P859-WPRC-3CJX
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 18:31If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.
{
"affected": [],
"aliases": [
"CVE-2022-1802"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "HIGH"
},
"details": "If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR \u003c 91.9.1, Firefox \u003c 100.0.2, Firefox for Android \u003c 100.3.0, and Thunderbird \u003c 91.9.1.",
"id": "GHSA-p859-wprc-3cjx",
"modified": "2025-04-16T18:31:35Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1802"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1770137"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8FR-G8W4-CVV6
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-08-21 21:30ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [],
"aliases": [
"CVE-2024-39014"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-01T13:15:05Z",
"severity": "CRITICAL"
},
"details": "ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-p8fr-g8w4-cvv6",
"modified": "2024-08-21T21:30:45Z",
"published": "2024-07-01T15:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39014"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/0501db31c1a6864a169e47097f26ac57"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9PC-299P-VXGP
Vulnerability from github – Published: 2020-09-04 18:00 – Updated: 2022-08-02 21:44Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Recommendation
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "yargs-parser"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "13.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "yargs-parser"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "15.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "yargs-parser"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "18.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.0"
},
"package": {
"ecosystem": "npm",
"name": "yargs-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7608"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T19:01:32Z",
"nvd_published_at": "2020-03-16T20:15:00Z",
"severity": "MODERATE"
},
"details": "Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz\u0027` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.",
"id": "GHSA-p9pc-299p-vxgp",
"modified": "2022-08-02T21:44:02Z",
"published": "2020-09-04T18:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608"
},
{
"type": "WEB",
"url": "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36"
},
{
"type": "WEB",
"url": "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2"
},
{
"type": "PACKAGE",
"url": "https://github.com/yargs/yargs-parser"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1500"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "yargs-parser Vulnerable to Prototype Pollution"
}
GHSA-PC47-G7GV-4GPW
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-21 15:18A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@rpldy/uploader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57082"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-06T23:47:52Z",
"nvd_published_at": "2025-02-05T22:15:32Z",
"severity": "HIGH"
},
"details": "A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
"id": "GHSA-pc47-g7gv-4gpw",
"modified": "2025-02-21T15:18:10Z",
"published": "2025-02-06T06:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57082"
},
{
"type": "WEB",
"url": "https://github.com/rpldy/react-uploady/commit/386e0a80c428eb988e89fd2acf9bb0b786ac8028"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/708e518de0c3b5af7430ec774f68f315"
},
{
"type": "PACKAGE",
"url": "https://github.com/rpldy/react-uploady"
},
{
"type": "WEB",
"url": "https://github.com/rpldy/react-uploady/releases/tag/v1.9.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@rpldy/uploader prototype pollution"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.