CWE-915
AllowedImproperly Controlled Modification of Dynamically-Determined Object Attributes
Abstraction: Base · Status: Incomplete
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
275 vulnerabilities reference this CWE, most recent first.
GHSA-V26W-GCXH-V4R7
Vulnerability from github – Published: 2021-12-10 18:50 – Updated: 2022-06-29 20:42Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "just-safe-set"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25952"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-08T14:23:30Z",
"nvd_published_at": "2021-07-07T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u2018just-safe-set\u2019 versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-v26w-gcxh-v4r7",
"modified": "2022-06-29T20:42:16Z",
"published": "2021-12-10T18:50:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25952"
},
{
"type": "WEB",
"url": "https://github.com/angus-c/just/pull/267"
},
{
"type": "WEB",
"url": "https://github.com/angus-c/just/commit/dd57a476f4bb9d78c6f60741898dc04c71d2eb53"
},
{
"type": "PACKAGE",
"url": "https://github.com/angus-c/just"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype polluation in just-safe-set"
}
GHSA-V39H-QM32-8GWQ
Vulnerability from github – Published: 2021-12-09 19:57 – Updated: 2021-07-29 15:53express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the Object.prototype. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by express-mock-middleware. As such, this is considered to be a low risk.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "express-mock-middleware"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7616"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-25T17:28:15Z",
"nvd_published_at": "2020-04-07T14:15:00Z",
"severity": "MODERATE"
},
"details": "express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk.",
"id": "GHSA-v39h-qm32-8gwq",
"modified": "2021-07-29T15:53:05Z",
"published": "2021-12-09T19:57:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7616"
},
{
"type": "WEB",
"url": "https://github.com/LingyuCoder/express-mock-middleware/blob/master/lib/index.js#L39"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-EXPRESSMOCKMIDDLEWARE-564120"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in express-mock-middleware"
}
GHSA-V6FR-2XP3-XPR7
Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-19 15:33In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible
{
"affected": [],
"aliases": [
"CVE-2026-56142"
],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T13:16:37Z",
"severity": "CRITICAL"
},
"details": "In JetBrains Hub before 2026.1.13757,\n2025.3.148033,\n2025.2.148048,\n2025.1.148120,\n2024.3.148430,\n2024.2.148429 privilege escalation by attaching authentication details to accounts was possible",
"id": "GHSA-v6fr-2xp3-xpr7",
"modified": "2026-06-19T15:33:15Z",
"published": "2026-06-19T15:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56142"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V88G-CGMW-V5XW
Vulnerability from github – Published: 2022-02-10 23:30 – Updated: 2024-06-21 21:33An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ajv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.12.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15366"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-10T21:23:41Z",
"nvd_published_at": "2020-07-15T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)",
"id": "GHSA-v88g-cgmw-v5xw",
"modified": "2024-06-21T21:33:48Z",
"published": "2022-02-10T23:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f"
},
{
"type": "PACKAGE",
"url": "https://github.com/ajv-validator/ajv"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/tags"
},
{
"type": "WEB",
"url": "https://hackerone.com/bugs?subject=user\u0026report_id=894259"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240621-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in Ajv"
}
GHSA-VJ72-MWRJ-M2XQ
Vulnerability from github – Published: 2021-08-10 16:09 – Updated: 2021-08-31 21:21All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "deepmergefn"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23417"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-02T18:38:21Z",
"nvd_published_at": "2021-07-28T16:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.\n\n",
"id": "GHSA-vj72-mwrj-m2xq",
"modified": "2021-08-31T21:21:45Z",
"published": "2021-08-10T16:09:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23417"
},
{
"type": "PACKAGE",
"url": "https://github.com/jesusgm/deepmergefn"
},
{
"type": "WEB",
"url": "https://github.com/jesusgm/deepmergefn/blob/master/index.js#23L6"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DEEPMERGEFN-1310984"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in deepmergefn"
}
GHSA-VPF5-82C8-9V36
Vulnerability from github – Published: 2021-11-23 21:15 – Updated: 2022-07-05 18:01The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "algoliasearch-helper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23433"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-22T19:34:30Z",
"nvd_published_at": "2021-11-19T20:15:00Z",
"severity": "CRITICAL"
},
"details": "The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.",
"id": "GHSA-vpf5-82c8-9v36",
"modified": "2022-07-05T18:01:27Z",
"published": "2021-11-23T21:15:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23433"
},
{
"type": "WEB",
"url": "https://github.com/algolia/algoliasearch-helper-js/commit/4ff542b70b92a6b81cce8b9255700b0bc0817edd"
},
{
"type": "PACKAGE",
"url": "https://github.com/algolia/algoliasearch-helper-js"
},
{
"type": "WEB",
"url": "https://github.com/algolia/algoliasearch-helper-js/blob/3.5.5/src/SearchParameters/index.js%23L291"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in algoliasearch-helper"
}
GHSA-VR5M-3H59-7JCP
Vulnerability from github – Published: 2021-07-01 17:01 – Updated: 2022-05-26 19:57Impact
The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Patches
think-helper@1.1.3 patched it, anyone used think-helper should upgrade to >=1.1.3 version.
References
https://cwe.mitre.org/data/definitions/1321.html
For more information
If you have any questions or comments about this advisory: * Open an issue in thinkjs/thinkjs * Email us at i@imnerd.org
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "think-helper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32736"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-30T17:40:38Z",
"nvd_published_at": "2021-06-30T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.\n\n### Patches\n\n`think-helper@1.1.3` patched it, anyone used `think-helper` should upgrade to `\u003e=1.1.3` version.\n\n### References\n\nhttps://cwe.mitre.org/data/definitions/1321.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [thinkjs/thinkjs](https://github.com/thinkjs/thinkjs)\n* Email us at [i@imnerd.org](mailto:i@imnerd.org)\n",
"id": "GHSA-vr5m-3h59-7jcp",
"modified": "2022-05-26T19:57:25Z",
"published": "2021-07-01T17:01:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thinkjs/think-helper/security/advisories/GHSA-vr5m-3h59-7jcp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32736"
},
{
"type": "PACKAGE",
"url": "https://github.com/thinkjs/think-helper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in think-helper"
}
GHSA-VRGW-PC9C-QRRC
Vulnerability from github – Published: 2026-01-13 19:54 – Updated: 2026-01-16 21:54Impact
Within Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework (up to and including version 8).
Patches
The affected Umbraco Forms versions are all End-of-Life (EOL) and not supported anymore, hence no patches will be released. Upgrading to any of the currently supported versions (v13, v16 or v17) is recommended.
Workarounds
If none of the configured Forms data sources uses the Webservice type, it can be safely excluded by adding the following code to the application. This will completely remove the option to select/use this data source within the Backoffice and thereby mitigate the vulnerability.
using Umbraco.Core.Composing;
using Umbraco.Forms.Core.Providers;
using Umbraco.Forms.Core.Providers.DatasourceTypes;
internal sealed class RemoveFormsWebserviceDataSourceTypeComposer : IUserComposer
{
public void Compose(Composition composition)
=> composition.WithCollectionBuilder<DataSourceCollectionBuilder>().Exclude<Webservice>();
}
Any Webservice data source that is configured and still in use should be replaced with a custom implementation instead, before applying the above code. If this is not feasible, the vulnerability can be minimized by revoking the 'Manage Data Sources' from any non-administrator user and/or inheriting from the default Umbraco.Forms.Core.Providers.DatasourceTypes.Webservice class and overriding the ValidateSettings() method to ensure only trusted URLs can be used.
References
When upgrading to a supported version, please take the Forms version specific upgrade notes into account and check the CMS upgrade documentation. Content and schema can also be migrated straight to the latest version using Deploy export/import with migrations.
Implementation details on data sources are not extensively documented, but they follow the general Forms provider model and inherit from Umbraco.Forms.Core.FormDataSource.
A special thanks to Piotr Bazydlo (@chudyPB) of watchTowr for finding and disclosing this vulnerability
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "UmbracoForms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.13.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68924"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-829",
"CWE-915",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T19:54:05Z",
"nvd_published_at": "2026-01-16T19:16:18Z",
"severity": "CRITICAL"
},
"details": "### Impact\nWithin Umbraco Forms, configuring a malicious URL on the Webservice data source can result in Remote Code Execution. This affects all Umbraco Forms versions running on .NET Framework (up to and including version 8).\n\n### Patches\nThe affected Umbraco Forms versions are all End-of-Life (EOL) and not supported anymore, hence no patches will be released. Upgrading to any of the currently supported versions (v13, v16 or v17) is recommended.\n\n### Workarounds\nIf none of the configured Forms data sources uses the Webservice type, it can be safely excluded by adding the following code to the application. This will completely remove the option to select/use this data source within the Backoffice and thereby mitigate the vulnerability.\n\n```c#\nusing Umbraco.Core.Composing;\nusing Umbraco.Forms.Core.Providers;\nusing Umbraco.Forms.Core.Providers.DatasourceTypes;\n\ninternal sealed class RemoveFormsWebserviceDataSourceTypeComposer : IUserComposer\n{\n public void Compose(Composition composition)\n =\u003e composition.WithCollectionBuilder\u003cDataSourceCollectionBuilder\u003e().Exclude\u003cWebservice\u003e();\n}\n```\n\nAny Webservice data source that is configured and still in use should be replaced with a custom implementation instead, before applying the above code. If this is not feasible, the vulnerability can be minimized by revoking the \u0027Manage Data Sources\u0027 from any non-administrator user and/or inheriting from the default `Umbraco.Forms.Core.Providers.DatasourceTypes.Webservice` class and overriding the `ValidateSettings()` method to ensure only trusted URLs can be used.\n\n### References\nWhen upgrading to a supported version, please take the Forms [version specific upgrade notes](https://docs.umbraco.com/umbraco-forms/13.latest/upgrading/version-specific) into account and check the [CMS upgrade documentation](https://docs.umbraco.com/umbraco-cms/13.latest/fundamentals/setup/upgrading). Content and schema can also be migrated straight to the latest version using [Deploy export/import with migrations](https://docs.umbraco.com/umbraco-deploy/13.latest/deployment-workflow/import-export).\n\nImplementation details on data sources are not extensively documented, but they follow the general Forms [provider model](https://docs.umbraco.com/umbraco-forms/13.latest/developer/extending/adding-a-type) and inherit from `Umbraco.Forms.Core.FormDataSource`.\n\nA special thanks to Piotr Bazydlo (@chudyPB) of watchTowr for finding and disclosing this vulnerability",
"id": "GHSA-vrgw-pc9c-qrrc",
"modified": "2026-01-16T21:54:55Z",
"published": "2026-01-13T19:54:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-vrgw-pc9c-qrrc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68924"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-vrgw-pc9c-qrrc"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco.Forms.Issues"
},
{
"type": "WEB",
"url": "https://our.umbraco.com/packages/developer-tools/umbraco-forms"
},
{
"type": "WEB",
"url": "https://www.nuget.org/packages/UmbracoForms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation"
}
GHSA-VRR3-5R3V-7XFW
Vulnerability from github – Published: 2021-05-17 21:00 – Updated: 2023-09-13 19:52Overview
casperjs is a navigation scripting & testing utility for PhantomJS and SlimerJS.
Affected versions of this package are vulnerable to Prototype Pollution via the mergeObjects utility function.
PoC
var payload = JSON.parse('{"__proto__": {"a": "pwned"}}');
mergeObjects({}, payload);
console.log({}.a); // prints "pwned"
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "casperjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7679"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-11T22:26:54Z",
"nvd_published_at": "2020-06-19T11:15:00Z",
"severity": "HIGH"
},
"details": "### Overview\ncasperjs is a navigation scripting \u0026 testing utility for PhantomJS and SlimerJS.\n\nAffected versions of this package are vulnerable to Prototype Pollution via the mergeObjects utility function.\n\n### PoC\n```js\nvar payload = JSON.parse(\u0027{\"__proto__\": {\"a\": \"pwned\"}}\u0027);\nmergeObjects({}, payload);\nconsole.log({}.a); // prints \"pwned\"\n```",
"id": "GHSA-vrr3-5r3v-7xfw",
"modified": "2023-09-13T19:52:14Z",
"published": "2021-05-17T21:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7679"
},
{
"type": "PACKAGE",
"url": "https://github.com/casperjs/casperjs"
},
{
"type": "WEB",
"url": "https://github.com/casperjs/casperjs/blob/master/modules/utils.js%23L680"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-572804"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-CASPERJS-572803"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in casperjs"
}
GHSA-W4CV-4JM4-PG8H
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the preset object, causing the preset to appear in the UI of another user. The vulnerability arises because the backend saves the entire object received without validating the attributes and their values, impacting both integrity and confidentiality.
{
"affected": [],
"aliases": [
"CVE-2024-10359"
],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:16Z",
"severity": "MODERATE"
},
"details": "In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the preset object, causing the preset to appear in the UI of another user. The vulnerability arises because the backend saves the entire object received without validating the attributes and their values, impacting both integrity and confidentiality.",
"id": "GHSA-w4cv-4jm4-pg8h",
"modified": "2025-03-20T12:32:39Z",
"published": "2025-03-20T12:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10359"
},
{
"type": "WEB",
"url": "https://github.com/danny-avila/librechat/commit/e3e52402f69accc35c6d0acd9c3266ae1cb6333f"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/bba65eb4-4c83-4f33-83c1-ede5ed0d5656"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
- For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
Strategy: Input Validation
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Mitigation
Strategy: Refactoring
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
No CAPEC attack patterns related to this CWE.