CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-45VR-76FP-GMWX
Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-01 15:32Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
{
"affected": [],
"aliases": [
"CVE-2024-36572"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T20:15:03Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.",
"id": "GHSA-45vr-76fp-gmwx",
"modified": "2024-08-01T15:32:15Z",
"published": "2024-07-30T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36572"
},
{
"type": "WEB",
"url": "https://github.com/allpro/form-manager/issues/1"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/1771ab4fba733ca898b6e2463dc6ed19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-462X-C3JW-7VR6
Vulnerability from github – Published: 2023-06-30 20:41 – Updated: 2023-06-30 20:41Impact
An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.
Patches
Prevent prototype pollution in MongoDB database adapter.
Workarounds
Disable remote code execution through the MongoDB BSON parser.
Credits
- Discovered by hir0ot working with Trend Micro Zero Day Initiative
- Fixed by dbythy
- Reviewed by mtrezza
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6
- https://github.com/advisories/GHSA-prm5-8g2m-24gg
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-36475"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-30T20:41:43Z",
"nvd_published_at": "2023-06-28T23:15:21Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nAn attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.\n\n### Patches\n\nPrevent prototype pollution in MongoDB database adapter.\n\n### Workarounds\n\nDisable remote code execution through the MongoDB BSON parser.\n\n### Credits\n\n- Discovered by hir0ot working with Trend Micro Zero Day Initiative\n- Fixed by dbythy\n- Reviewed by mtrezza\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6\n- https://github.com/advisories/GHSA-prm5-8g2m-24gg\n\n",
"id": "GHSA-462x-c3jw-7vr6",
"modified": "2023-06-30T20:41:43Z",
"published": "2023-06-30T20:41:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36475"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/issues/8674"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/issues/8675"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution"
}
GHSA-46FH-8FC5-XCWX
Vulnerability from github – Published: 2020-09-03 18:09 – Updated: 2020-08-31 18:46Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.6.1 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "lodash.defaultsdeep"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:46:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `lodash.defaultsdeep` before 4.6.1 are vulnerable to Prototype Pollution. The function \u0027defaultsDeep\u0027 may allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.6.1 or later.",
"id": "GHSA-46fh-8fc5-xcwx",
"modified": "2020-08-31T18:46:13Z",
"published": "2020-09-03T18:09:16Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1070"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Prototype Pollution in lodash.defaultsdeep"
}
GHSA-47PJ-Q2VM-46XC
Vulnerability from github – Published: 2023-03-18 06:30 – Updated: 2023-03-24 19:40Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "collection.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26113"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-20T21:19:22Z",
"nvd_published_at": "2023-03-18T05:15:00Z",
"severity": "HIGH"
},
"details": "Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the `extend` function in `Collection.js/dist/node/iterators/extend.js`.",
"id": "GHSA-47pj-q2vm-46xc",
"modified": "2023-03-24T19:40:25Z",
"published": "2023-03-18T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26113"
},
{
"type": "WEB",
"url": "https://github.com/kobezzza/Collection/issues/27"
},
{
"type": "WEB",
"url": "https://github.com/kobezzza/Collection/commit/d3d937645f62f37d3115d6aa90bb510fd856e6a2"
},
{
"type": "PACKAGE",
"url": "https://github.com/kobezzza/Collection"
},
{
"type": "WEB",
"url": "https://github.com/kobezzza/Collection/blob/be32c48e68f49d3be48a58e929d1ab8ff1d2d19c/dist/node/iterators/extend.js%23L324"
},
{
"type": "WEB",
"url": "https://github.com/kobezzza/Collection/releases/tag/v6.8.1"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-COLLECTIONJS-3185148"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Collection.js vulnerable to Prototype Pollution"
}
GHSA-4869-V738-XVVG
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-08-21 21:302o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [],
"aliases": [
"CVE-2024-39013"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-01T13:15:05Z",
"severity": "CRITICAL"
},
"details": "2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-4869-v738-xvvg",
"modified": "2024-08-21T21:30:45Z",
"published": "2024-07-01T15:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39013"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/a2be744675af5ece3240c19fd04fc5e1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-49J4-86M8-Q2JW
Vulnerability from github – Published: 2024-04-10 15:30 – Updated: 2024-08-22 16:17Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mysql2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21509"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-12T13:50:12Z",
"nvd_published_at": "2024-04-10T05:15:48Z",
"severity": "MODERATE"
},
"details": "Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through `parserFn` in `text_parser.js` and `binary_parser.js`.",
"id": "GHSA-49j4-86m8-q2jw",
"modified": "2024-08-22T16:17:37Z",
"published": "2024-04-10T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21509"
},
{
"type": "WEB",
"url": "https://github.com/sidorares/node-mysql2/pull/2574"
},
{
"type": "WEB",
"url": "https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691"
},
{
"type": "WEB",
"url": "https://blog.slonser.info/posts/mysql2-attacker-configuration"
},
{
"type": "PACKAGE",
"url": "https://github.com/sidorares/node-mysql2"
},
{
"type": "WEB",
"url": "https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134"
},
{
"type": "WEB",
"url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "mysql2 vulnerable to Prototype Poisoning"
}
GHSA-4C2G-HX49-7H25
Vulnerability from github – Published: 2024-01-23 14:43 – Updated: 2024-01-23 14:43Impact
Utility functions related to object paths (get, set and update) did not block attempts to access or alter object prototypes.
Patches
The get, set and update functions will throw a TypeError when a user attempts to access or alter inherited properties in versions >=2.2.1.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hoolock"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23339"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-23T14:43:13Z",
"nvd_published_at": "2024-01-22T23:15:08Z",
"severity": "MODERATE"
},
"details": "### Impact\nUtility functions related to object paths (`get`, `set` and `update`) did not block attempts to access or alter object prototypes.\n\n### Patches\nThe `get`, `set` and `update` functions will throw a `TypeError` when a user attempts to access or alter inherited properties in versions \u003e=2.2.1.",
"id": "GHSA-4c2g-hx49-7h25",
"modified": "2024-01-23T14:43:13Z",
"published": "2024-01-23T14:43:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23339"
},
{
"type": "WEB",
"url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"
},
{
"type": "PACKAGE",
"url": "https://github.com/elijahharry/hoolock"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution not blocked by object-path related utilities in hoolock"
}
GHSA-4C35-WCG5-MM9H
Vulnerability from github – Published: 2026-05-06 17:34 – Updated: 2026-05-06 17:34Summary
setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys __proto__, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level __proto__ key causes setNestedProperty(result, '__proto__.isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.
Details
Root cause — packages/next-intl/src/extractor/utils.tsx:13-34:
export function setNestedProperty(
obj: Record<string, any>,
keyPath: string,
value: any
): void {
const keys = keyPath.split('.');
let current = obj;
for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (
!(key in current) ||
typeof current[key] !== 'object' ||
current[key] === null
) {
current[key] = {};
}
current = current[key];
}
current[keys[keys.length - 1]] = value;
}
The existence check !(key in current) uses the in operator, which walks the prototype chain. For key === '__proto__', '__proto__' in {} is true (it's inherited from Object.prototype) and typeof current['__proto__'] === 'object' (it is Object.prototype). The guard therefore never re-initializes current[key], and current = current['__proto__'] redirects all subsequent writes onto Object.prototype. The final assignment current[keys[keys.length-1]] = value sets Object.prototype[<attacker key>] = <attacker value>.
Build-time data flow:
packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83— the webpack/turbopack loader receives the catalog filesourceand, ifoptions.messages.precompileis enabled, callscodec.decode(source, {locale}).packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18—decoderunsJSON.parse(source). V8 installs__proto__as an own data property on the result when the JSON key is literally"__proto__"(bypassing the normalObject.prototype.__proto__setter that would otherwise reassign the prototype).JSONCodec.tsx:33-53—traverseMessagesiteratesObject.keys(obj), which for a JSON‑parsed object includes the own__proto__key. It readsobj.__proto__(returns the attacker’s nested object, notObject.prototype, because it's an own property), recurses into it, and emits message id__proto__.isAdmin.catalogLoader.tsx:71—precompileMessages(decoded, cache).catalogLoader.tsx:89-131— for each message, callssetNestedProperty(result, message.id, compiledMessage). Withmessage.id === '__proto__.isAdmin',setNestedPropertywalks intoObject.prototypeand assignsObject.prototype.isAdmin = compiledMessage.
The same sink is also reachable via JSONCodec.encode (JSONCodec.tsx:20-26) and POCodec (packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influenced message.id values into setNestedProperty — but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.
After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like if (obj.someFlag) or options[key] ?? default that are sensitive to polluted prototypes.
Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages — any of which can carry a crafted __proto__ key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.
PoC
Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:
// next.config.ts
import createNextIntlPlugin from 'next-intl/plugin';
const withNextIntl = createNextIntlPlugin({
experimental: {
messages: {
path: './messages',
format: 'json',
locales: 'infer',
precompile: true
}
}
});
export default withNextIntl({});
- Drop a malicious catalog at
messages/en.json:
json
{
"Greeting": "Hello",
"__proto__": { "isAdmin": "polluted" }
}
-
Run
next build(ornext dev). ThecatalogLoaderwill invokeJSONCodec.decode→traverseMessages→precompileMessages→setNestedProperty. -
Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):
```js function setNestedProperty(obj, keyPath, value) { const keys = keyPath.split('.'); let current = obj; for (let i = 0; i < keys.length - 1; i++) { const key = keys[i]; if (!(key in current) || typeof current[key] !== 'object' || current[key] === null) { current[key] = {}; } current = current[key]; } current[keys[keys.length - 1]] = value; }
setNestedProperty({}, 'proto.isAdmin', 'PWNED'); console.log(({}).isAdmin); // -> "PWNED" ```
Output: PWNED.
- Full chain reproduction (also verified):
js
const parsed = JSON.parse('{"Greeting":"Hello","__proto__":{"isAdmin":"polluted"}}');
// traverseMessages emits: [{id:"Greeting",message:"Hello"},{id:"__proto__.isAdmin",message:"polluted"}]
// precompileMessages then calls setNestedProperty(result, "__proto__.isAdmin", "polluted")
console.log(({}).isAdmin); // -> "polluted"
After the loader runs, ({}).isAdmin === 'polluted' for the remainder of the build Node process.
Impact
Object.prototypeis polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).- Classic CWE-1321 gadget-chain precondition: downstream tools that branch on
obj.someFlag,options[key] ?? default,if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles. - Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages — all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.
- Exploitation requires the user to opt in to the
experimental.messages+precompileconfiguration. Users who do not use the extractor/precompile features are not affected.
Recommended Fix
Reject reserved keys in setNestedProperty and stop using the in operator for the existence check. A minimal patch to packages/next-intl/src/extractor/utils.tsx:
const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
export function setNestedProperty(
obj: Record<string, any>,
keyPath: string,
value: any
): void {
const keys = keyPath.split('.');
for (const key of keys) {
if (FORBIDDEN_KEYS.has(key)) {
throw new Error(`Invalid message id segment: ${key}`);
}
}
let current = obj;
for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (
!Object.prototype.hasOwnProperty.call(current, key) ||
typeof current[key] !== 'object' ||
current[key] === null
) {
current[key] = Object.create(null);
}
current = current[key];
}
current[keys[keys.length - 1]] = value;
}
Additionally:
- In
packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, maketraverseMessagesskip reserved keys (or switch toObject.create(null)+Object.hasOwnsemantics) so that a malicious catalog is rejected early with a clear error rather than producing__proto__.*message ids. - In
packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initializeprecompileMessages’sresultwithObject.create(null)as defense in depth, so even if a key slipped through it could not redirect throughObject.prototype.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.9.1"
},
"package": {
"ecosystem": "npm",
"name": "next-intl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T17:34:12Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`setNestedProperty` in `packages/next-intl/src/extractor/utils.tsx` walks a dotted key path and assigns the final value without blocking the reserved keys `__proto__`, `constructor`, or `prototype`. When the next-intl Next.js plugin is configured with `experimental.messages` and `messages.precompile: true`, a JSON translation catalog containing a top\u2011level `__proto__` key causes `setNestedProperty(result, \u0027__proto__.isAdmin\u0027, compiledMessage)` to assign onto `Object.prototype`, polluting every object in the running build process.\n\n## Details\n\nRoot cause \u2014 `packages/next-intl/src/extractor/utils.tsx:13-34`:\n\n```ts\nexport function setNestedProperty(\n obj: Record\u003cstring, any\u003e,\n keyPath: string,\n value: any\n): void {\n const keys = keyPath.split(\u0027.\u0027);\n let current = obj;\n\n for (let i = 0; i \u003c keys.length - 1; i++) {\n const key = keys[i];\n if (\n !(key in current) ||\n typeof current[key] !== \u0027object\u0027 ||\n current[key] === null\n ) {\n current[key] = {};\n }\n current = current[key];\n }\n\n current[keys[keys.length - 1]] = value;\n}\n```\n\nThe existence check `!(key in current)` uses the `in` operator, which walks the prototype chain. For `key === \u0027__proto__\u0027`, `\u0027__proto__\u0027 in {}` is `true` (it\u0027s inherited from `Object.prototype`) and `typeof current[\u0027__proto__\u0027] === \u0027object\u0027` (it *is* `Object.prototype`). The guard therefore never re-initializes `current[key]`, and `current = current[\u0027__proto__\u0027]` redirects all subsequent writes onto `Object.prototype`. The final assignment `current[keys[keys.length-1]] = value` sets `Object.prototype[\u003cattacker key\u003e] = \u003cattacker value\u003e`.\n\nBuild-time data flow:\n\n1. `packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83` \u2014 the webpack/turbopack loader receives the catalog file `source` and, if `options.messages.precompile` is enabled, calls `codec.decode(source, {locale})`.\n2. `packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18` \u2014 `decode` runs `JSON.parse(source)`. V8 installs `__proto__` as an **own data property** on the result when the JSON key is literally `\"__proto__\"` (bypassing the normal `Object.prototype.__proto__` setter that would otherwise reassign the prototype).\n3. `JSONCodec.tsx:33-53` \u2014 `traverseMessages` iterates `Object.keys(obj)`, which for a JSON\u2011parsed object includes the own `__proto__` key. It reads `obj.__proto__` (returns the attacker\u2019s nested object, not `Object.prototype`, because it\u0027s an own property), recurses into it, and emits message id `__proto__.isAdmin`.\n4. `catalogLoader.tsx:71` \u2014 `precompileMessages(decoded, cache)`.\n5. `catalogLoader.tsx:89-131` \u2014 for each message, calls `setNestedProperty(result, message.id, compiledMessage)`. With `message.id === \u0027__proto__.isAdmin\u0027`, `setNestedProperty` walks into `Object.prototype` and assigns `Object.prototype.isAdmin = compiledMessage`.\n\nThe same sink is also reachable via `JSONCodec.encode` (`JSONCodec.tsx:20-26`) and `POCodec` (`packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87`) during extraction, both of which feed attacker-influenced `message.id` values into `setNestedProperty` \u2014 but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.\n\nAfter pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl\u2019s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like `if (obj.someFlag)` or `options[key] ?? default` that are sensitive to polluted prototypes.\n\nTrust boundary note: next-intl\u2019s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages \u2014 any of which can carry a crafted `__proto__` key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.\n\n## PoC\n\nPrerequisites: a Next.js project using next-intl \u2264 4.9.1 with the Next.js plugin configured:\n\n```ts\n// next.config.ts\nimport createNextIntlPlugin from \u0027next-intl/plugin\u0027;\n\nconst withNextIntl = createNextIntlPlugin({\n experimental: {\n messages: {\n path: \u0027./messages\u0027,\n format: \u0027json\u0027,\n locales: \u0027infer\u0027,\n precompile: true\n }\n }\n});\n\nexport default withNextIntl({});\n```\n\n1. Drop a malicious catalog at `messages/en.json`:\n\n ```json\n {\n \"Greeting\": \"Hello\",\n \"__proto__\": { \"isAdmin\": \"polluted\" }\n }\n ```\n\n2. Run `next build` (or `next dev`). The `catalogLoader` will invoke `JSONCodec.decode` \u2192 `traverseMessages` \u2192 `precompileMessages` \u2192 `setNestedProperty`.\n\n3. Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):\n\n ```js\n function setNestedProperty(obj, keyPath, value) {\n const keys = keyPath.split(\u0027.\u0027);\n let current = obj;\n for (let i = 0; i \u003c keys.length - 1; i++) {\n const key = keys[i];\n if (!(key in current) || typeof current[key] !== \u0027object\u0027 || current[key] === null) {\n current[key] = {};\n }\n current = current[key];\n }\n current[keys[keys.length - 1]] = value;\n }\n\n setNestedProperty({}, \u0027__proto__.isAdmin\u0027, \u0027PWNED\u0027);\n console.log(({}).isAdmin); // -\u003e \"PWNED\"\n ```\n\n Output: `PWNED`.\n\n4. Full chain reproduction (also verified):\n\n ```js\n const parsed = JSON.parse(\u0027{\"Greeting\":\"Hello\",\"__proto__\":{\"isAdmin\":\"polluted\"}}\u0027);\n // traverseMessages emits: [{id:\"Greeting\",message:\"Hello\"},{id:\"__proto__.isAdmin\",message:\"polluted\"}]\n // precompileMessages then calls setNestedProperty(result, \"__proto__.isAdmin\", \"polluted\")\n console.log(({}).isAdmin); // -\u003e \"polluted\"\n ```\n\n After the loader runs, `({}).isAdmin === \u0027polluted\u0027` for the remainder of the build Node process.\n\n## Impact\n\n- `Object.prototype` is polluted for the lifetime of the build\u2011time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl\u2019s own codecs, user plugins).\n- Classic CWE-1321 gadget-chain precondition: downstream tools that branch on `obj.someFlag`, `options[key] ?? default`, `if (!config.noX)`, etc. can be coerced into unintended behavior, including emitting tampered bundles.\n- Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages \u2014 all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.\n- Exploitation requires the user to opt in to the `experimental.messages` + `precompile` configuration. Users who do not use the extractor/precompile features are not affected.\n\n## Recommended Fix\n\nReject reserved keys in `setNestedProperty` and stop using the `in` operator for the existence check. A minimal patch to `packages/next-intl/src/extractor/utils.tsx`:\n\n```ts\nconst FORBIDDEN_KEYS = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\n\nexport function setNestedProperty(\n obj: Record\u003cstring, any\u003e,\n keyPath: string,\n value: any\n): void {\n const keys = keyPath.split(\u0027.\u0027);\n for (const key of keys) {\n if (FORBIDDEN_KEYS.has(key)) {\n throw new Error(`Invalid message id segment: ${key}`);\n }\n }\n\n let current = obj;\n for (let i = 0; i \u003c keys.length - 1; i++) {\n const key = keys[i];\n if (\n !Object.prototype.hasOwnProperty.call(current, key) ||\n typeof current[key] !== \u0027object\u0027 ||\n current[key] === null\n ) {\n current[key] = Object.create(null);\n }\n current = current[key];\n }\n\n current[keys[keys.length - 1]] = value;\n}\n```\n\nAdditionally:\n\n- In `packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx`, make `traverseMessages` skip reserved keys (or switch to `Object.create(null)` + `Object.hasOwn` semantics) so that a malicious catalog is rejected early with a clear error rather than producing `__proto__.*` message ids.\n- In `packages/next-intl/src/plugin/catalog/catalogLoader.tsx`, initialize `precompileMessages`\u2019s `result` with `Object.create(null)` as defense in depth, so even if a key slipped through it could not redirect through `Object.prototype`.",
"id": "GHSA-4c35-wcg5-mm9h",
"modified": "2026-05-06T17:34:12Z",
"published": "2026-05-06T17:34:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/amannn/next-intl/security/advisories/GHSA-4c35-wcg5-mm9h"
},
{
"type": "PACKAGE",
"url": "https://github.com/amannn/next-intl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys"
}
GHSA-4CPG-3VGW-4877
Vulnerability from github – Published: 2022-02-18 00:00 – Updated: 2022-07-21 16:20Prototype pollution vulnerability via .parse() in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "plist"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-22912"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-22T15:34:44Z",
"nvd_published_at": "2022-02-17T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability via `.parse()` in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.",
"id": "GHSA-4cpg-3vgw-4877",
"modified": "2022-07-21T16:20:00Z",
"published": "2022-02-18T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22912"
},
{
"type": "WEB",
"url": "https://github.com/TooTallNate/plist.js/issues/114"
},
{
"type": "WEB",
"url": "https://github.com/TooTallNate/plist.js/pull/118"
},
{
"type": "WEB",
"url": "https://github.com/TooTallNate/plist.js/commit/96e2303d059e6be0c9e0c4773226d14b4758de52"
},
{
"type": "PACKAGE",
"url": "https://github.com/TooTallNate/plist.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in Plist before 3.0.5 can cause denial of service"
}
GHSA-4FR2-J4G9-MPPF
Vulnerability from github – Published: 2021-09-24 15:42 – Updated: 2023-09-07 22:37Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "deephas"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"last_affected": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28271"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-26T18:25:52Z",
"nvd_published_at": "2020-11-12T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u0027deephas\u0027 versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-4fr2-j4g9-mppf",
"modified": "2023-09-07T22:37:35Z",
"published": "2021-09-24T15:42:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28271"
},
{
"type": "WEB",
"url": "https://github.com/sharpred/deepHas/commit/2fe011713a6178c50f7deb6f039a8e5435981e20"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28271"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28271,"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in deephas"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.