Common Weakness Enumeration

CWE-915

Allowed

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Abstraction: Base · Status: Incomplete

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

275 vulnerabilities reference this CWE, most recent first.

GHSA-V26W-GCXH-V4R7

Vulnerability from github – Published: 2021-12-10 18:50 – Updated: 2022-06-29 20:42
VLAI
Summary
Prototype polluation in just-safe-set
Details

Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "just-safe-set"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-08T14:23:30Z",
    "nvd_published_at": "2021-07-07T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u2018just-safe-set\u2019 versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-v26w-gcxh-v4r7",
  "modified": "2022-06-29T20:42:16Z",
  "published": "2021-12-10T18:50:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25952"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angus-c/just/pull/267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angus-c/just/commit/dd57a476f4bb9d78c6f60741898dc04c71d2eb53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angus-c/just"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25952"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype polluation in just-safe-set"
}

GHSA-V39H-QM32-8GWQ

Vulnerability from github – Published: 2021-12-09 19:57 – Updated: 2021-07-29 15:53
VLAI
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes in express-mock-middleware
Details

express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the Object.prototype. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by express-mock-middleware. As such, this is considered to be a low risk.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "express-mock-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-25T17:28:15Z",
    "nvd_published_at": "2020-04-07T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk.",
  "id": "GHSA-v39h-qm32-8gwq",
  "modified": "2021-07-29T15:53:05Z",
  "published": "2021-12-09T19:57:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in express-mock-middleware"
}

GHSA-V6FR-2XP3-XPR7

Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33
VLAI
Details

In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-19T13:16:37Z",
    "severity": "CRITICAL"
  },
  "details": "In JetBrains Hub before 2026.1.13757,\n2025.3.148033,\n2025.2.148048,\n2025.1.148120,\n2024.3.148430,\n2024.2.148429 privilege escalation by attaching authentication details to accounts was possible",
  "id": "GHSA-v6fr-2xp3-xpr7",
  "modified": "2026-06-19T15:33:15Z",
  "published": "2026-06-19T15:33:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56142"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V88G-CGMW-V5XW

Vulnerability from github – Published: 2022-02-10 23:30 – Updated: 2024-06-21 21:33
VLAI
Summary
Prototype Pollution in Ajv
Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ajv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.12.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-10T21:23:41Z",
    "nvd_published_at": "2020-07-15T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)",
  "id": "GHSA-v88g-cgmw-v5xw",
  "modified": "2024-06-21T21:33:48Z",
  "published": "2022-02-10T23:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ajv-validator/ajv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ajv-validator/ajv/tags"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/bugs?subject=user\u0026report_id=894259"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240621-0007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in Ajv"
}

GHSA-VJ72-MWRJ-M2XQ

Vulnerability from github – Published: 2021-08-10 16:09 – Updated: 2021-08-31 21:21
VLAI
Summary
Prototype Pollution in deepmergefn
Details

All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deepmergefn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-02T18:38:21Z",
    "nvd_published_at": "2021-07-28T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.\n\n",
  "id": "GHSA-vj72-mwrj-m2xq",
  "modified": "2021-08-31T21:21:45Z",
  "published": "2021-08-10T16:09:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23417"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jesusgm/deepmergefn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jesusgm/deepmergefn/blob/master/index.js#23L6"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DEEPMERGEFN-1310984"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in deepmergefn"
}

GHSA-VPF5-82C8-9V36

Vulnerability from github – Published: 2021-11-23 21:15 – Updated: 2022-07-05 18:01
VLAI
Summary
Prototype Pollution in algoliasearch-helper
Details

The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "algoliasearch-helper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-22T19:34:30Z",
    "nvd_published_at": "2021-11-19T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.",
  "id": "GHSA-vpf5-82c8-9v36",
  "modified": "2022-07-05T18:01:27Z",
  "published": "2021-11-23T21:15:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/algolia/algoliasearch-helper-js/commit/4ff542b70b92a6b81cce8b9255700b0bc0817edd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/algolia/algoliasearch-helper-js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/algolia/algoliasearch-helper-js/blob/3.5.5/src/SearchParameters/index.js%23L291"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in algoliasearch-helper"
}

GHSA-VR5M-3H59-7JCP

Vulnerability from github – Published: 2021-07-01 17:01 – Updated: 2022-05-26 19:57
VLAI
Summary
Prototype Pollution in think-helper
Details

Impact

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Patches

think-helper@1.1.3 patched it, anyone used think-helper should upgrade to >=1.1.3 version.

References

https://cwe.mitre.org/data/definitions/1321.html

For more information

If you have any questions or comments about this advisory: * Open an issue in thinkjs/thinkjs * Email us at i@imnerd.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "think-helper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-30T17:40:38Z",
    "nvd_published_at": "2021-06-30T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.\n\n### Patches\n\n`think-helper@1.1.3` patched it, anyone used `think-helper` should upgrade to `\u003e=1.1.3` version.\n\n### References\n\nhttps://cwe.mitre.org/data/definitions/1321.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [thinkjs/thinkjs](https://github.com/thinkjs/thinkjs)\n* Email us at [i@imnerd.org](mailto:i@imnerd.org)\n",
  "id": "GHSA-vr5m-3h59-7jcp",
  "modified": "2022-05-26T19:57:25Z",
  "published": "2021-07-01T17:01:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thinkjs/think-helper/security/advisories/GHSA-vr5m-3h59-7jcp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32736"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thinkjs/think-helper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in think-helper"
}

GHSA-VRGW-PC9C-QRRC

Vulnerability from github – Published: 2026-01-13 19:54 – Updated: 2026-01-16 21:54
VLAI
Summary
UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation
Details

Impact

Within Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework (up to and including version 8).

Patches

The affected Umbraco Forms versions are all End-of-Life (EOL) and not supported anymore, hence no patches will be released. Upgrading to any of the currently supported versions (v13, v16 or v17) is recommended.

Workarounds

If none of the configured Forms data sources uses the Webservice type, it can be safely excluded by adding the following code to the application. This will completely remove the option to select/use this data source within the Backoffice and thereby mitigate the vulnerability.

using Umbraco.Core.Composing;
using Umbraco.Forms.Core.Providers;
using Umbraco.Forms.Core.Providers.DatasourceTypes;

internal sealed class RemoveFormsWebserviceDataSourceTypeComposer : IUserComposer
{
    public void Compose(Composition composition)
        => composition.WithCollectionBuilder<DataSourceCollectionBuilder>().Exclude<Webservice>();
}

Any Webservice data source that is configured and still in use should be replaced with a custom implementation instead, before applying the above code. If this is not feasible, the vulnerability can be minimized by revoking the 'Manage Data Sources' from any non-administrator user and/or inheriting from the default Umbraco.Forms.Core.Providers.DatasourceTypes.Webservice class and overriding the ValidateSettings() method to ensure only trusted URLs can be used.

References

When upgrading to a supported version, please take the Forms version specific upgrade notes into account and check the CMS upgrade documentation. Content and schema can also be migrated straight to the latest version using Deploy export/import with migrations.

Implementation details on data sources are not extensively documented, but they follow the general Forms provider model and inherit from Umbraco.Forms.Core.FormDataSource.

A special thanks to Piotr Bazydlo (@chudyPB) of watchTowr for finding and disclosing this vulnerability

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "UmbracoForms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.13.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-829",
      "CWE-915",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T19:54:05Z",
    "nvd_published_at": "2026-01-16T19:16:18Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nWithin Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework (up to and including version 8).\n\n### Patches\nThe affected Umbraco Forms versions are all End-of-Life (EOL) and not supported anymore, hence no patches will be released. Upgrading to any of the currently supported versions (v13, v16 or v17) is recommended.\n\n### Workarounds\nIf none of the configured Forms data sources uses the Webservice type, it can be safely excluded by adding the following code to the application. This will completely remove the option to select/use this data source within the Backoffice and thereby mitigate the vulnerability.\n\n```c#\nusing Umbraco.Core.Composing;\nusing Umbraco.Forms.Core.Providers;\nusing Umbraco.Forms.Core.Providers.DatasourceTypes;\n\ninternal sealed class RemoveFormsWebserviceDataSourceTypeComposer : IUserComposer\n{\n    public void Compose(Composition composition)\n        =\u003e composition.WithCollectionBuilder\u003cDataSourceCollectionBuilder\u003e().Exclude\u003cWebservice\u003e();\n}\n```\n\nAny Webservice data source that is configured and still in use should be replaced with a custom implementation instead, before applying the above code. If this is not feasible, the vulnerability can be minimized by revoking the \u0027Manage Data Sources\u0027 from any non-administrator user and/or inheriting from the default `Umbraco.Forms.Core.Providers.DatasourceTypes.Webservice` class and overriding the `ValidateSettings()` method to ensure only trusted URLs can be used.\n\n### References\nWhen upgrading to a supported version, please take the Forms [version specific upgrade notes](https://docs.umbraco.com/umbraco-forms/13.latest/upgrading/version-specific) into account and check the [CMS upgrade documentation](https://docs.umbraco.com/umbraco-cms/13.latest/fundamentals/setup/upgrading). Content and schema can also be migrated straight to the latest version using [Deploy export/import with migrations](https://docs.umbraco.com/umbraco-deploy/13.latest/deployment-workflow/import-export).\n\nImplementation details on data sources are not extensively documented, but they follow the general Forms [provider model](https://docs.umbraco.com/umbraco-forms/13.latest/developer/extending/adding-a-type) and inherit from `Umbraco.Forms.Core.FormDataSource`.\n\nA special thanks to Piotr Bazydlo (@chudyPB) of watchTowr for finding and disclosing this vulnerability",
  "id": "GHSA-vrgw-pc9c-qrrc",
  "modified": "2026-01-16T21:54:55Z",
  "published": "2026-01-13T19:54:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-vrgw-pc9c-qrrc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68924"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vrgw-pc9c-qrrc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/umbraco/Umbraco.Forms.Issues"
    },
    {
      "type": "WEB",
      "url": "https://our.umbraco.com/packages/developer-tools/umbraco-forms"
    },
    {
      "type": "WEB",
      "url": "https://www.nuget.org/packages/UmbracoForms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation"
}

GHSA-VRR3-5R3V-7XFW

Vulnerability from github – Published: 2021-05-17 21:00 – Updated: 2023-09-13 19:52
VLAI
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes in casperjs
Details

Overview

casperjs is a navigation scripting & testing utility for PhantomJS and SlimerJS.

Affected versions of this package are vulnerable to Prototype Pollution via the mergeObjects utility function.

PoC

var payload = JSON.parse('{"__proto__": {"a": "pwned"}}');
mergeObjects({}, payload);
console.log({}.a); // prints "pwned"
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "casperjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7679"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-11T22:26:54Z",
    "nvd_published_at": "2020-06-19T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Overview\ncasperjs is a navigation scripting \u0026 testing utility for PhantomJS and SlimerJS.\n\nAffected versions of this package are vulnerable to Prototype Pollution via the mergeObjects utility function.\n\n### PoC\n```js\nvar payload = JSON.parse(\u0027{\"__proto__\": {\"a\": \"pwned\"}}\u0027);\nmergeObjects({}, payload);\nconsole.log({}.a); // prints \"pwned\"\n```",
  "id": "GHSA-vrr3-5r3v-7xfw",
  "modified": "2023-09-13T19:52:14Z",
  "published": "2021-05-17T21:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7679"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/casperjs/casperjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/casperjs/casperjs/blob/master/modules/utils.js%23L680"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-572804"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-CASPERJS-572803"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in casperjs"
}

GHSA-W4CV-4JM4-PG8H

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the preset object, causing the preset to appear in the UI of another user. The vulnerability arises because the backend saves the entire object received without validating the attributes and their values, impacting both integrity and confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the preset object, causing the preset to appear in the UI of another user. The vulnerability arises because the backend saves the entire object received without validating the attributes and their values, impacting both integrity and confidentiality.",
  "id": "GHSA-w4cv-4jm4-pg8h",
  "modified": "2025-03-20T12:32:39Z",
  "published": "2025-03-20T12:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10359"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danny-avila/librechat/commit/e3e52402f69accc35c6d0acd9c3266ae1cb6333f"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/bba65eb4-4c83-4f33-83c1-ede5ed0d5656"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation
  • If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
  • For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.

Mitigation
Implementation Architecture and Design

Strategy: Refactoring

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

No CAPEC attack patterns related to this CWE.