CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-2X9C-QWGF-94XR
Vulnerability from github – Published: 2023-03-28 19:57 – Updated: 2023-03-28 23:09Impact
Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered.
Patches
This is fixed in matrix-react-sdk 3.53.0
Workarounds
There are no workarounds. Please upgrade immediately.
References
https://learn.snyk.io/lessons/prototype-pollution/javascript/
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "matrix-react-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.53.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36060"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-28T19:57:57Z",
"nvd_published_at": "2023-03-28T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nEvents sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered.\n\n### Patches\nThis is fixed in matrix-react-sdk 3.53.0\n\n### Workarounds\nThere are no workarounds. Please upgrade immediately.\n\n### References\nhttps://learn.snyk.io/lessons/prototype-pollution/javascript/\n\n### For more information\nIf you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).\n",
"id": "GHSA-2x9c-qwgf-94xr",
"modified": "2023-03-28T23:09:13Z",
"published": "2023-03-28T19:57:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-2x9c-qwgf-94xr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36060"
},
{
"type": "PACKAGE",
"url": "https://github.com/matrix-org/matrix-react-sdk"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.53.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "matrix-react-sdk Prototype pollution vulnerability"
}
GHSA-2XV9-GHH9-XC69
Vulnerability from github – Published: 2025-05-27 15:03 – Updated: 2025-05-27 15:03Impact
This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.
Patches
The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of __proto__, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.
Workarounds
Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.
References
- Git commit:
8147abc8cfc3cfe9b9a17cd389076a5d97235a66 - CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes ('Prototype Pollution'): https://cwe.mitre.org/data/definitions/1321.html
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "radashi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48054"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-27T15:03:05Z",
"nvd_published_at": "2025-05-27T05:15:23Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThis is a prototype pollution vulnerability. It impacts users of the `set` function within the Radashi library. If an attacker can control parts of the `path` argument to the `set` function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.\n\n### Patches\n\nThe vulnerability has been patched in commit [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66). Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, `isDangerousKey`, to prevent the use of `__proto__`, `prototype`, or `constructor` as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a `null` prototype.\n\n### Workarounds\n\nUsers on older versions can mitigate this vulnerability by sanitizing the `path` argument provided to the `set` function to ensure that no part of the path string is `__proto__`, `prototype`, or `constructor`. For example, by checking each segment of the path before passing it to the `set` function.\n\n### References\n\n- Git commit: [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66)\n- CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes (\u0027Prototype Pollution\u0027): https://cwe.mitre.org/data/definitions/1321.html",
"id": "GHSA-2xv9-ghh9-xc69",
"modified": "2025-05-27T15:03:05Z",
"published": "2025-05-27T15:03:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/radashi-org/radashi/security/advisories/GHSA-2xv9-ghh9-xc69"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48054"
},
{
"type": "WEB",
"url": "https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66"
},
{
"type": "PACKAGE",
"url": "https://github.com/radashi-org/radashi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "radashi Allows Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
}
GHSA-328P-362G-R48J
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-08-26 13:51ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@ag-grid-enterprise/charts"
},
"ranges": [
{
"events": [
{
"introduced": "32.0.0"
},
{
"fixed": "32.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"32.0.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "ag-grid-community"
},
"ranges": [
{
"events": [
{
"introduced": "32.0.0"
},
{
"fixed": "32.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"32.0.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "ag-grid-enterprise"
},
"ranges": [
{
"events": [
{
"introduced": "32.0.0"
},
{
"fixed": "32.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"32.0.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@ag-grid-enterprise/charts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "31.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ag-grid-community"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "31.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ag-grid-enterprise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "31.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39001"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-12T14:00:45Z",
"nvd_published_at": "2024-07-01T13:15:05Z",
"severity": "MODERATE"
},
"details": "ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-328p-362g-r48j",
"modified": "2024-08-26T13:51:18Z",
"published": "2024-07-01T15:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39001"
},
{
"type": "WEB",
"url": "https://github.com/ag-grid/ag-grid/issues/8261"
},
{
"type": "WEB",
"url": "https://github.com/ag-grid/ag-grid/commit/78fb47f6c996f22c0b7184afb29620ab8c240522"
},
{
"type": "WEB",
"url": "https://github.com/ag-grid/ag-grid/commit/ff731699453f2632d4852b3a3c34b479c406068c"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b"
},
{
"type": "PACKAGE",
"url": "https://github.com/ag-grid/ag-grid"
},
{
"type": "WEB",
"url": "https://www.ag-grid.com/changelog/?fixVersion=31.3.4"
},
{
"type": "WEB",
"url": "https://www.ag-grid.com/changelog/?fixVersion=32.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ag-grid packages vulnerable to Prototype Pollution"
}
GHSA-32QF-G28M-P524
Vulnerability from github – Published: 2023-10-20 18:30 – Updated: 2024-04-04 08:51The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
{
"affected": [],
"aliases": [
"CVE-2023-3965"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-20T16:15:19Z",
"severity": "MODERATE"
},
"details": "The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
"id": "GHSA-32qf-g28m-p524",
"modified": "2024-04-04T08:51:28Z",
"published": "2023-10-20T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3965"
},
{
"type": "WEB",
"url": "https://github.com/BlackFan/client-side-prototype-pollution"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5909513d-8877-40ff-bee9-d565141b7ed2?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-339J-HQGX-QRRX
Vulnerability from github – Published: 2021-06-21 17:13 – Updated: 2023-08-08 19:57This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a proto or constructor.prototype payload.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nedb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23395"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-16T20:12:32Z",
"nvd_published_at": "2021-06-15T20:15:00Z",
"severity": "HIGH"
},
"details": "This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload.",
"id": "GHSA-339j-hqgx-qrrx",
"modified": "2023-08-08T19:57:23Z",
"published": "2021-06-21T17:13:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23395"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-NEDB-1305279"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in nedb"
}
GHSA-33F9-J839-RF8H
Vulnerability from github – Published: 2021-09-02 17:17 – Updated: 2024-04-25 22:16This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "immer"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "9.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23436"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-02T16:57:31Z",
"nvd_published_at": "2021-09-01T18:15:00Z",
"severity": "CRITICAL"
},
"details": "This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === \"__proto__\" || p === \"constructor\")` in `applyPatches_` returns false if `p` is `[\u0027__proto__\u0027]` (or `[\u0027constructor\u0027]`). The `===` operator (strict equality operator) returns false if the operands have different type.",
"id": "GHSA-33f9-j839-rf8h",
"modified": "2024-04-25T22:16:53Z",
"published": "2021-09-02T17:17:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23436"
},
{
"type": "WEB",
"url": "https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237"
},
{
"type": "PACKAGE",
"url": "https://github.com/immerjs/immer"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-IMMER-1540542"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in immer"
}
GHSA-33RV-M2GP-MM2R
Vulnerability from github – Published: 2021-06-21 17:18 – Updated: 2021-05-20 21:34Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "safe-flat"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25927"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T21:34:56Z",
"nvd_published_at": "2021-04-26T11:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u0027safe-flat\u0027 versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-33rv-m2gp-mm2r",
"modified": "2021-05-20T21:34:56Z",
"published": "2021-06-21T17:18:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25927"
},
{
"type": "WEB",
"url": "https://github.com/jessie-codes/safe-flat/commit/4b9b7db976bba8c968354f4315f5f9c219b7cbf3"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25927"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in safe-flat"
}
GHSA-33VH-7X8Q-MG35
Vulnerability from github – Published: 2022-12-20 06:30 – Updated: 2025-04-16 16:08All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "safe-eval"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25904"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-20T17:38:42Z",
"nvd_published_at": "2022-12-20T05:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.",
"id": "GHSA-33vh-7x8q-mg35",
"modified": "2025-04-16T16:08:32Z",
"published": "2022-12-20T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25904"
},
{
"type": "WEB",
"url": "https://github.com/hacksparrow/safe-eval/issues/26"
},
{
"type": "PACKAGE",
"url": "https://github.com/hacksparrow/safe-eval"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "safe-eval vulnerable to Prototype Pollution"
}
GHSA-34Q3-8X9V-J957
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-26 12:55toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "toggle-array"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57328"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-26T12:55:31Z",
"nvd_published_at": "2025-09-24T20:15:32Z",
"severity": "LOW"
},
"details": "toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
"id": "GHSA-34q3-8x9v-j957",
"modified": "2025-09-26T12:55:31Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57328"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/toggle-array%401.0.1/index.js"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57328"
},
{
"type": "PACKAGE",
"url": "https://github.com/jonschlinkert/toggle-array"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "toggle-array vulnerable to prototype pollution"
}
GHSA-34Q8-JCQ6-MC37
Vulnerability from github – Published: 2024-10-01 06:30 – Updated: 2024-10-01 18:10Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "uplot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21489"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-01T18:10:50Z",
"nvd_published_at": "2024-10-01T05:15:12Z",
"severity": "HIGH"
},
"details": "Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.",
"id": "GHSA-34q8-jcq6-mc37",
"modified": "2024-10-01T18:10:50Z",
"published": "2024-10-01T06:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21489"
},
{
"type": "WEB",
"url": "https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983"
},
{
"type": "PACKAGE",
"url": "https://github.com/leeoniya/uPlot"
},
{
"type": "WEB",
"url": "https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js#L437-L452"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "uPlot Prototype Pollution vulnerability"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.