Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-2X9C-QWGF-94XR

Vulnerability from github – Published: 2023-03-28 19:57 – Updated: 2023-03-28 23:09
VLAI
Summary
matrix-react-sdk Prototype pollution vulnerability
Details

Impact

Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered.

Patches

This is fixed in matrix-react-sdk 3.53.0

Workarounds

There are no workarounds. Please upgrade immediately.

References

https://learn.snyk.io/lessons/prototype-pollution/javascript/

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "matrix-react-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.53.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36060"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-28T19:57:57Z",
    "nvd_published_at": "2023-03-28T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nEvents sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered.\n\n### Patches\nThis is fixed in matrix-react-sdk 3.53.0\n\n### Workarounds\nThere are no workarounds. Please upgrade immediately.\n\n### References\nhttps://learn.snyk.io/lessons/prototype-pollution/javascript/\n\n### For more information\nIf you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).\n",
  "id": "GHSA-2x9c-qwgf-94xr",
  "modified": "2023-03-28T23:09:13Z",
  "published": "2023-03-28T19:57:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-2x9c-qwgf-94xr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36060"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/matrix-react-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.53.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "matrix-react-sdk Prototype pollution vulnerability"
}

GHSA-2XV9-GHH9-XC69

Vulnerability from github – Published: 2025-05-27 15:03 – Updated: 2025-05-27 15:03
VLAI
Summary
radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Details

Impact

This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.

Patches

The vulnerability has been patched in commit 8147abc8cfc3cfe9b9a17cd389076a5d97235a66. Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, isDangerousKey, to prevent the use of __proto__, prototype, or constructor as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a null prototype.

Workarounds

Users on older versions can mitigate this vulnerability by sanitizing the path argument provided to the set function to ensure that no part of the path string is __proto__, prototype, or constructor. For example, by checking each segment of the path before passing it to the set function.

References

  • Git commit: 8147abc8cfc3cfe9b9a17cd389076a5d97235a66
  • CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes ('Prototype Pollution'): https://cwe.mitre.org/data/definitions/1321.html
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "radashi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-27T15:03:05Z",
    "nvd_published_at": "2025-05-27T05:15:23Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThis is a prototype pollution vulnerability. It impacts users of the `set` function within the Radashi library. If an attacker can control parts of the `path` argument to the `set` function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpected behavior, denial of service, or even remote code execution in some specific scenarios.\n\n### Patches\n\nThe vulnerability has been patched in commit [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66). Users should upgrade to a version of Radashi that includes this commit. The fix utilizes a new helper function, `isDangerousKey`, to prevent the use of `__proto__`, `prototype`, or `constructor` as keys in the path, throwing an error if any are encountered. This check is bypassed for objects with a `null` prototype.\n\n### Workarounds\n\nUsers on older versions can mitigate this vulnerability by sanitizing the `path` argument provided to the `set` function to ensure that no part of the path string is `__proto__`, `prototype`, or `constructor`. For example, by checking each segment of the path before passing it to the `set` function.\n\n### References\n\n- Git commit: [`8147abc8cfc3cfe9b9a17cd389076a5d97235a66`](https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66)\n- CWE-1321: Improperly Controlled Modification of Dynamically-Determined Object Attributes (\u0027Prototype Pollution\u0027): https://cwe.mitre.org/data/definitions/1321.html",
  "id": "GHSA-2xv9-ghh9-xc69",
  "modified": "2025-05-27T15:03:05Z",
  "published": "2025-05-27T15:03:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/radashi-org/radashi/security/advisories/GHSA-2xv9-ghh9-xc69"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48054"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radashi-org/radashi/commit/8147abc8cfc3cfe9b9a17cd389076a5d97235a66"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/radashi-org/radashi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "radashi Allows Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
}

GHSA-328P-362G-R48J

Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-08-26 13:51
VLAI
Summary
ag-grid packages vulnerable to Prototype Pollution
Details

ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@ag-grid-enterprise/charts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "32.0.0"
            },
            {
              "fixed": "32.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "32.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ag-grid-community"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "32.0.0"
            },
            {
              "fixed": "32.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "32.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ag-grid-enterprise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "32.0.0"
            },
            {
              "fixed": "32.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "32.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@ag-grid-enterprise/charts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "31.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ag-grid-community"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "31.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ag-grid-enterprise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "31.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-12T14:00:45Z",
    "nvd_published_at": "2024-07-01T13:15:05Z",
    "severity": "MODERATE"
  },
  "details": "ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-328p-362g-r48j",
  "modified": "2024-08-26T13:51:18Z",
  "published": "2024-07-01T15:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39001"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ag-grid/ag-grid/issues/8261"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ag-grid/ag-grid/commit/78fb47f6c996f22c0b7184afb29620ab8c240522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ag-grid/ag-grid/commit/ff731699453f2632d4852b3a3c34b479c406068c"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/18e8c27f3a6376e7cf082cfe1ca766fa"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/c1590660750744f25e86ba1bf240844b"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/f8037d492dab0d77bca719e05d31c08b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ag-grid/ag-grid"
    },
    {
      "type": "WEB",
      "url": "https://www.ag-grid.com/changelog/?fixVersion=31.3.4"
    },
    {
      "type": "WEB",
      "url": "https://www.ag-grid.com/changelog/?fixVersion=32.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ag-grid packages vulnerable to Prototype Pollution"
}

GHSA-32QF-G28M-P524

Vulnerability from github – Published: 2023-10-20 18:30 – Updated: 2024-04-04 08:51
VLAI
Details

The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-20T16:15:19Z",
    "severity": "MODERATE"
  },
  "details": "The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
  "id": "GHSA-32qf-g28m-p524",
  "modified": "2024-04-04T08:51:28Z",
  "published": "2023-10-20T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BlackFan/client-side-prototype-pollution"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5909513d-8877-40ff-bee9-d565141b7ed2?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-339J-HQGX-QRRX

Vulnerability from github – Published: 2021-06-21 17:13 – Updated: 2023-08-08 19:57
VLAI
Summary
Prototype Pollution in nedb
Details

This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a proto or constructor.prototype payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nedb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-16T20:12:32Z",
    "nvd_published_at": "2021-06-15T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload.",
  "id": "GHSA-339j-hqgx-qrrx",
  "modified": "2023-08-08T19:57:23Z",
  "published": "2021-06-21T17:13:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23395"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-NEDB-1305279"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in nedb"
}

GHSA-33F9-J839-RF8H

Vulnerability from github – Published: 2021-09-02 17:17 – Updated: 2024-04-25 22:16
VLAI
Summary
Prototype Pollution in immer
Details

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "immer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "9.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-02T16:57:31Z",
    "nvd_published_at": "2021-09-01T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition `(p === \"__proto__\" || p === \"constructor\")` in `applyPatches_` returns false if `p` is `[\u0027__proto__\u0027]` (or `[\u0027constructor\u0027]`). The `===` operator (strict equality operator) returns false if the operands have different type.",
  "id": "GHSA-33f9-j839-rf8h",
  "modified": "2024-04-25T22:16:53Z",
  "published": "2021-09-02T17:17:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23436"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/immerjs/immer"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579266"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-IMMER-1540542"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in immer"
}

GHSA-33RV-M2GP-MM2R

Vulnerability from github – Published: 2021-06-21 17:18 – Updated: 2021-05-20 21:34
VLAI
Summary
Prototype pollution in safe-flat
Details

Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "safe-flat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T21:34:56Z",
    "nvd_published_at": "2021-04-26T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027safe-flat\u0027 versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-33rv-m2gp-mm2r",
  "modified": "2021-05-20T21:34:56Z",
  "published": "2021-06-21T17:18:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25927"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jessie-codes/safe-flat/commit/4b9b7db976bba8c968354f4315f5f9c219b7cbf3"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25927"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in safe-flat"
}

GHSA-33VH-7X8Q-MG35

Vulnerability from github – Published: 2022-12-20 06:30 – Updated: 2025-04-16 16:08
VLAI
Summary
safe-eval vulnerable to Prototype Pollution
Details

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "safe-eval"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-20T17:38:42Z",
    "nvd_published_at": "2022-12-20T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.",
  "id": "GHSA-33vh-7x8q-mg35",
  "modified": "2025-04-16T16:08:32Z",
  "published": "2022-12-20T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25904"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hacksparrow/safe-eval/issues/26"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hacksparrow/safe-eval"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "safe-eval vulnerable to Prototype Pollution"
}

GHSA-34Q3-8X9V-J957

Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-26 12:55
VLAI
Summary
toggle-array vulnerable to prototype pollution
Details

toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "toggle-array"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-26T12:55:31Z",
    "nvd_published_at": "2025-09-24T20:15:32Z",
    "severity": "LOW"
  },
  "details": "toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
  "id": "GHSA-34q3-8x9v-j957",
  "modified": "2025-09-26T12:55:31Z",
  "published": "2025-09-24T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/toggle-array%401.0.1/index.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57328"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jonschlinkert/toggle-array"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "toggle-array vulnerable to prototype pollution"
}

GHSA-34Q8-JCQ6-MC37

Vulnerability from github – Published: 2024-10-01 06:30 – Updated: 2024-10-01 18:10
VLAI
Summary
uPlot Prototype Pollution vulnerability
Details

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uplot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-01T18:10:50Z",
    "nvd_published_at": "2024-10-01T05:15:12Z",
    "severity": "HIGH"
  },
  "details": "Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.",
  "id": "GHSA-34q8-jcq6-mc37",
  "modified": "2024-10-01T18:10:50Z",
  "published": "2024-10-01T06:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leeoniya/uPlot/commit/5756e3e9b91270b303157e14bd0174311047d983"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/leeoniya/uPlot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leeoniya/uPlot/blob/c52e5001c1d959a99ac495a53e4deca5c44464d2/src/utils.js#L437-L452"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-UPLOT-6209224"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "uPlot Prototype Pollution vulnerability"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.