Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

779 vulnerabilities reference this CWE, most recent first.

GHSA-R96X-P6V3-J823

Vulnerability from github – Published: 2025-03-05 12:31 – Updated: 2025-04-02 18:30
VLAI
Details

Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-05T10:15:20Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests.\nIn Kibana versions \u003e= 8.15.0 and \u003c 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors",
  "id": "GHSA-r96x-p6v3-j823",
  "modified": "2025-04-02T18:30:48Z",
  "published": "2025-03-05T12:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25015"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/kibana-8-17-3-8-16-6-security-update-esa-2025-06/375441"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9W3-G83Q-M6HQ

Vulnerability from github – Published: 2022-04-01 17:26 – Updated: 2022-04-13 16:28
VLAI
Summary
Prototype Pollution in deepmerge-ts
Details

deepmerge-ts is used to merge 2 or more objects respecting type information. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). A fix was released in version 4.0.2. Currently, there is no known workaround.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deepmerge-ts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T17:26:03Z",
    "nvd_published_at": "2022-04-01T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "deepmerge-ts is used to merge 2 or more objects respecting type information. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). A fix was released in version 4.0.2. Currently, there is no known workaround.",
  "id": "GHSA-r9w3-g83q-m6hq",
  "modified": "2022-04-13T16:28:10Z",
  "published": "2022-04-01T17:26:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RebeccaStevens/deepmerge-ts/security/advisories/GHSA-r9w3-g83q-m6hq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24802"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RebeccaStevens/deepmerge-ts/commit/b39f1a93d9e1c3541bd2fe159fd696a16dbe1c72"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RebeccaStevens/deepmerge-ts/commit/d637db7e4fb2bfb113cb4bc1c85a125936d7081b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RebeccaStevens/deepmerge-ts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in deepmerge-ts"
}

GHSA-RC4V-99CR-PJCM

Vulnerability from github – Published: 2023-10-17 14:21 – Updated: 2023-10-17 14:21
VLAI
Summary
Prototype Pollution in ali-security/mongoose
Details

Impact

This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate(). For applications using Express and EJS, this can potentially allow remote code execution.

Patches

The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4

References

https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721 https://github.com/advisories/GHSA-9m93-w8w6-76hh https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@seal-security/mongoose-fixed"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.3"
            },
            {
              "fixed": "5.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.3.3"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-17T14:21:16Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThis vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().\nFor applications using Express and EJS, this can potentially allow remote code execution.\n\n### Patches\nThe original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4\n\n### References\nhttps://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721\nhttps://github.com/advisories/GHSA-9m93-w8w6-76hh\nhttps://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2\n",
  "id": "GHSA-rc4v-99cr-pjcm",
  "modified": "2023-10-17T14:21:16Z",
  "published": "2023-10-17T14:21:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ali-security/mongoose/security/advisories/GHSA-rc4v-99cr-pjcm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ali-security/mongoose"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in ali-security/mongoose"
}

GHSA-RF6F-7FWH-WJGH

Vulnerability from github – Published: 2026-03-19 17:43 – Updated: 2026-03-25 18:22
VLAI
Summary
Prototype Pollution via parse() in NodeJS flatted
Details

Summary

The parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype.


Root Cause

File: esm/index.js:29 (identical in cjs/index.js)

  const resolver = (input, lazy, parsed, $) => output => {
    for (let ke = keys(output), {length} = ke, y = 0; y < length; y++) {
      const k = ke[y];
      const value = output[k];    
      if (value instanceof Primitive) {
        const tmp = input[value];      // Bug is here

No validation that value is a safe numeric index input is built as a plain Array. JavaScript's property lookup on arrays traverses the prototype chain for non-numeric keys. The key "__proto__" resolves to Array.prototype, which:

  • has type "object" → passes the typeof tmp === object guard at line 30
  • is not in the parsed Set yet → passes the !parsed.has(tmp) guard.
  • The reference to Array.prototype is then enqueued in lazy and later unconditionally assigned to the output object.

Replication Steps

  const Flatted = require('flatted'); 
  const parsed = Flatted.parse('[{"x":"__proto__"}]');
  parsed.x.polluted = 'pwned';
  console.log([].polluted);  // Returns true

Impact An attacker can supply a crafted flatted string to parse() that causes the returned object to hold a live reference to Array.prototype, enabling any downstream code that writes to that property to pollute the global prototype chain, potentially causing denial of service or code execution.

Recommended solution Validate that the index string represents an integer within the bounds of input before accessing it:

// Before (vulnerable) const tmp = input[value];

// After (safe) const idx = +value; // coerce boxed String → number const tmp = (Number.isInteger(idx) && idx >= 0 && idx < input.length) ? input[idx] : undefined;

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.4.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flatted"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:43:54Z",
    "nvd_published_at": "2026-03-20T23:16:46Z",
    "severity": "HIGH"
  },
  "details": "---\n  **Summary**\n\n  The parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index\n  keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it\n  with the key \"\\_\\_proto\\_\\_\" returns Array.prototype via the inherited getter. This object is then treated as a legitimate\n   parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype\n   to the consumer. Any code that subsequently writes to that property will pollute the global prototype.\n\n  ---\n  **Root Cause**\n\n  File: esm/index.js:29 (identical in cjs/index.js)\n```\n  const resolver = (input, lazy, parsed, $) =\u003e output =\u003e {\n    for (let ke = keys(output), {length} = ke, y = 0; y \u003c length; y++) {\n      const k = ke[y];\n      const value = output[k];    \n      if (value instanceof Primitive) {\n        const tmp = input[value];      // Bug is here\n```\n\nNo validation that value is a safe numeric index input is built as a plain Array. JavaScript\u0027s property lookup on arrays traverses the prototype chain for non-numeric  keys. The key \"\\_\\_proto\\_\\_\" resolves to Array.prototype, which:\n\n  - has type \"object\" \u2192 passes the typeof tmp === object guard at line 30\n  - is not in the parsed Set yet \u2192 passes the !parsed.has(tmp) guard.\n  - The reference to Array.prototype is then enqueued in lazy and later unconditionally assigned to the output object.\n  ---\n  **Replication Steps**\n```\n  const Flatted = require(\u0027flatted\u0027); \n  const parsed = Flatted.parse(\u0027[{\"x\":\"__proto__\"}]\u0027);\n  parsed.x.polluted = \u0027pwned\u0027;\n  console.log([].polluted);  // Returns true\n``` \n ---\n  **Impact**\n An attacker can supply a crafted flatted string to parse() that causes the returned object to hold a live reference to Array.prototype, enabling any downstream code that writes to that property to pollute the global prototype chain, potentially causing denial of service or code execution.\n\n  **Recommended solution**\n Validate that the index string represents an integer within the bounds of input before accessing it:\n\n  // Before (vulnerable)\n  const tmp = input[value];\n\n  // After (safe)\n  const idx = +value;  // coerce boxed String \u2192 number\n  const tmp = (Number.isInteger(idx) \u0026\u0026 idx \u003e= 0 \u0026\u0026 idx \u003c input.length)\n    ? input[idx]\n    : undefined;",
  "id": "GHSA-rf6f-7fwh-wjgh",
  "modified": "2026-03-25T18:22:00Z",
  "published": "2026-03-19T17:43:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-rf6f-7fwh-wjgh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WebReflection/flatted"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WebReflection/flatted/releases/tag/v3.4.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Prototype Pollution via parse() in NodeJS flatted"
}

GHSA-RFV9-X7HH-XC32

Vulnerability from github – Published: 2023-03-28 18:59 – Updated: 2023-03-28 23:09
VLAI
Summary
matrix-js-sdk Prototype Pollution vulnerability
Details

Impact

Events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.

Patches

This is fixed in matrix-js-sdk 19.4.0.

Workarounds

Redacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix it. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues.

In some cases, no workarounds are possible.

References

https://learn.snyk.io/lessons/prototype-pollution/javascript/

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "matrix-js-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "19.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-28T18:59:28Z",
    "nvd_published_at": "2023-03-28T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nEvents sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer\u0027s ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.\n\n### Patches\nThis is fixed in matrix-js-sdk 19.4.0.\n\n### Workarounds\nRedacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix it. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues.\n\nIn some cases, no workarounds are possible.\n\n### References\nhttps://learn.snyk.io/lessons/prototype-pollution/javascript/\n\n### For more information\nIf you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).\n",
  "id": "GHSA-rfv9-x7hh-xc32",
  "modified": "2023-03-28T23:09:01Z",
  "published": "2023-03-28T18:59:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36059"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/matrix-js-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "matrix-js-sdk Prototype Pollution vulnerability"
}

GHSA-RGFV-V3JH-7FFP

Vulnerability from github – Published: 2021-05-06 18:11 – Updated: 2021-05-05 18:56
VLAI
Summary
Prototype Pollution in deeps
Details

All versions of package deeps up to and including version 1.4.5 are vulnerable to Prototype Pollution via the set function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deeps"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T18:56:42Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package deeps up to and including version 1.4.5 are vulnerable to Prototype Pollution via the set function.",
  "id": "GHSA-rgfv-v3jh-7ffp",
  "modified": "2021-05-05T18:56:42Z",
  "published": "2021-05-06T18:11:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7716"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DEEPS-598667"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in deeps"
}

GHSA-RJ5F-7C8X-GJG4

Vulnerability from github – Published: 2021-05-06 18:26 – Updated: 2021-05-05 18:14
VLAI
Summary
Prototype Pollution in promisehelpers
Details

All versions of package promisehelpers up to and including version 0.0.5 are vulnerable to Prototype Pollution via the insert function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "promisehelpers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T18:14:15Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package promisehelpers up to and including version 0.0.5 are vulnerable to Prototype Pollution via the insert function.",
  "id": "GHSA-rj5f-7c8x-gjg4",
  "modified": "2021-05-05T18:14:15Z",
  "published": "2021-05-06T18:26:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7723"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-PROMISEHELPERS-598686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in promisehelpers"
}

GHSA-RJF2-J2R6-Q8GR

Vulnerability from github – Published: 2021-10-19 15:28 – Updated: 2021-10-19 14:18
VLAI
Summary
Prototype Pollution in vm2
Details

This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-19T14:18:05Z",
    "nvd_published_at": "2021-10-18T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.",
  "id": "GHSA-rjf2-j2r6-q8gr",
  "modified": "2021-10-19T14:18:05Z",
  "published": "2021-10-19T15:28:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/issues/363"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patriksimek/vm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/releases/tag/3.9.4"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211029-0010"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-VM2-1585918"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in vm2"
}

GHSA-RMHG-2CVV-Q7VX

Vulnerability from github – Published: 2023-03-06 06:30 – Updated: 2023-03-13 15:28
VLAI
Summary
dot-lens vulnerable to Prototype Pollution
Details

All versions of the package dot-lens are vulnerable to Prototype Pollution via the set() function in index.js file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dot-lens"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-07T20:32:03Z",
    "nvd_published_at": "2023-03-06T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of the package dot-lens are vulnerable to Prototype Pollution via the `set()` function in `index.js` file.",
  "id": "GHSA-rmhg-2cvv-q7vx",
  "modified": "2023-03-13T15:28:08Z",
  "published": "2023-03-06T06:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26106"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jb55/dot-lens"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jb55/dot-lens/blob/465ef2088e4065b7be1c4372eedd2215c3820bc4/index.js#23L70"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-DOTLENS-3227646"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "dot-lens vulnerable to Prototype Pollution"
}

GHSA-RMRJ-5WJ3-Q8FR

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 18:31
VLAI
Details

A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T22:15:31Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-rmrj-5wj3-q8fr",
  "modified": "2025-02-06T18:31:05Z",
  "published": "2025-02-06T06:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57067"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/07dca101d8fe059dd11b3b0e1b4a6d46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.