Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-45VR-76FP-GMWX

Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-01 15:32
VLAI
Details

Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T20:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.",
  "id": "GHSA-45vr-76fp-gmwx",
  "modified": "2024-08-01T15:32:15Z",
  "published": "2024-07-30T21:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/allpro/form-manager/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/1771ab4fba733ca898b6e2463dc6ed19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-462X-C3JW-7VR6

Vulnerability from github – Published: 2023-06-30 20:41 – Updated: 2023-06-30 20:41
VLAI
Summary
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Details

Impact

An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.

Patches

Prevent prototype pollution in MongoDB database adapter.

Workarounds

Disable remote code execution through the MongoDB BSON parser.

Credits

  • Discovered by hir0ot working with Trend Micro Zero Day Initiative
  • Fixed by dbythy
  • Reviewed by mtrezza

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6
  • https://github.com/advisories/GHSA-prm5-8g2m-24gg
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36475"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-30T20:41:43Z",
    "nvd_published_at": "2023-06-28T23:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nAn attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser.\n\n### Patches\n\nPrevent prototype pollution in MongoDB database adapter.\n\n### Workarounds\n\nDisable remote code execution through the MongoDB BSON parser.\n\n### Credits\n\n- Discovered by hir0ot working with Trend Micro Zero Day Initiative\n- Fixed by dbythy\n- Reviewed by mtrezza\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6\n- https://github.com/advisories/GHSA-prm5-8g2m-24gg\n\n",
  "id": "GHSA-462x-c3jw-7vr6",
  "modified": "2023-06-30T20:41:43Z",
  "published": "2023-06-30T20:41:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36475"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/issues/8674"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/issues/8675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/3dd99dd80e27e5e1d99b42844180546d90c7aa90"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/5fad2928fb8ee17304abcdcf259932f827d8c81f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/5.5.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/6.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution"
}

GHSA-46FH-8FC5-XCWX

Vulnerability from github – Published: 2020-09-03 18:09 – Updated: 2020-08-31 18:46
VLAI
Summary
Prototype Pollution in lodash.defaultsdeep
Details

Versions of lodash.defaultsdeep before 4.6.1 are vulnerable to Prototype Pollution. The function 'defaultsDeep' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.6.1 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.defaultsdeep"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:46:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `lodash.defaultsdeep` before 4.6.1 are vulnerable to Prototype Pollution. The function \u0027defaultsDeep\u0027 may allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.6.1 or later.",
  "id": "GHSA-46fh-8fc5-xcwx",
  "modified": "2020-08-31T18:46:13Z",
  "published": "2020-09-03T18:09:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1070"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in lodash.defaultsdeep"
}

GHSA-47PJ-Q2VM-46XC

Vulnerability from github – Published: 2023-03-18 06:30 – Updated: 2023-03-24 19:40
VLAI
Summary
Collection.js vulnerable to Prototype Pollution
Details

Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "collection.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-20T21:19:22Z",
    "nvd_published_at": "2023-03-18T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the `extend` function in `Collection.js/dist/node/iterators/extend.js`.",
  "id": "GHSA-47pj-q2vm-46xc",
  "modified": "2023-03-24T19:40:25Z",
  "published": "2023-03-18T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kobezzza/Collection/issues/27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kobezzza/Collection/commit/d3d937645f62f37d3115d6aa90bb510fd856e6a2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kobezzza/Collection"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kobezzza/Collection/blob/be32c48e68f49d3be48a58e929d1ab8ff1d2d19c/dist/node/iterators/extend.js%23L324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kobezzza/Collection/releases/tag/v6.8.1"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-COLLECTIONJS-3185148"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Collection.js vulnerable to Prototype Pollution"
}

GHSA-4869-V738-XVVG

Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-08-21 21:30
VLAI
Details

2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T13:15:05Z",
    "severity": "CRITICAL"
  },
  "details": "2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-4869-v738-xvvg",
  "modified": "2024-08-21T21:30:45Z",
  "published": "2024-07-01T15:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39013"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/a2be744675af5ece3240c19fd04fc5e1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-49J4-86M8-Q2JW

Vulnerability from github – Published: 2024-04-10 15:30 – Updated: 2024-08-22 16:17
VLAI
Summary
mysql2 vulnerable to Prototype Poisoning
Details

Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mysql2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-12T13:50:12Z",
    "nvd_published_at": "2024-04-10T05:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through `parserFn` in `text_parser.js` and `binary_parser.js`.",
  "id": "GHSA-49j4-86m8-q2jw",
  "modified": "2024-08-22T16:17:37Z",
  "published": "2024-04-10T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21509"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sidorares/node-mysql2/pull/2574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sidorares/node-mysql2/commit/4a964a3910a4b8de008696c554ab1b492e9b4691"
    },
    {
      "type": "WEB",
      "url": "https://blog.slonser.info/posts/mysql2-attacker-configuration"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sidorares/node-mysql2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sidorares/node-mysql2/blob/fd3d117da82cc5c5fa5a3701d7b33ca77691bc61/lib/parsers/text_parser.js%23L134"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sidorares/node-mysql2/releases/tag/v3.9.4"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-MYSQL2-6591084"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "mysql2 vulnerable to Prototype Poisoning"
}

GHSA-4C2G-HX49-7H25

Vulnerability from github – Published: 2024-01-23 14:43 – Updated: 2024-01-23 14:43
VLAI
Summary
Prototype pollution not blocked by object-path related utilities in hoolock
Details

Impact

Utility functions related to object paths (get, set and update) did not block attempts to access or alter object prototypes.

Patches

The get, set and update functions will throw a TypeError when a user attempts to access or alter inherited properties in versions >=2.2.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hoolock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-23T14:43:13Z",
    "nvd_published_at": "2024-01-22T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUtility functions related to object paths (`get`, `set` and `update`) did not block attempts to access or alter object prototypes.\n\n### Patches\nThe `get`, `set` and `update` functions will throw a `TypeError` when a user attempts to access or alter inherited properties in versions \u003e=2.2.1.",
  "id": "GHSA-4c2g-hx49-7h25",
  "modified": "2024-01-23T14:43:13Z",
  "published": "2024-01-23T14:43:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23339"
    },
    {
      "type": "WEB",
      "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elijahharry/hoolock"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution not blocked by object-path related utilities in hoolock"
}

GHSA-4C35-WCG5-MM9H

Vulnerability from github – Published: 2026-05-06 17:34 – Updated: 2026-05-06 17:34
VLAI
Summary
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys
Details

Summary

setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys __proto__, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level __proto__ key causes setNestedProperty(result, '__proto__.isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.

Details

Root cause — packages/next-intl/src/extractor/utils.tsx:13-34:

export function setNestedProperty(
  obj: Record<string, any>,
  keyPath: string,
  value: any
): void {
  const keys = keyPath.split('.');
  let current = obj;

  for (let i = 0; i < keys.length - 1; i++) {
    const key = keys[i];
    if (
      !(key in current) ||
      typeof current[key] !== 'object' ||
      current[key] === null
    ) {
      current[key] = {};
    }
    current = current[key];
  }

  current[keys[keys.length - 1]] = value;
}

The existence check !(key in current) uses the in operator, which walks the prototype chain. For key === '__proto__', '__proto__' in {} is true (it's inherited from Object.prototype) and typeof current['__proto__'] === 'object' (it is Object.prototype). The guard therefore never re-initializes current[key], and current = current['__proto__'] redirects all subsequent writes onto Object.prototype. The final assignment current[keys[keys.length-1]] = value sets Object.prototype[<attacker key>] = <attacker value>.

Build-time data flow:

  1. packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83 — the webpack/turbopack loader receives the catalog file source and, if options.messages.precompile is enabled, calls codec.decode(source, {locale}).
  2. packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18decode runs JSON.parse(source). V8 installs __proto__ as an own data property on the result when the JSON key is literally "__proto__" (bypassing the normal Object.prototype.__proto__ setter that would otherwise reassign the prototype).
  3. JSONCodec.tsx:33-53traverseMessages iterates Object.keys(obj), which for a JSON‑parsed object includes the own __proto__ key. It reads obj.__proto__ (returns the attacker’s nested object, not Object.prototype, because it's an own property), recurses into it, and emits message id __proto__.isAdmin.
  4. catalogLoader.tsx:71precompileMessages(decoded, cache).
  5. catalogLoader.tsx:89-131 — for each message, calls setNestedProperty(result, message.id, compiledMessage). With message.id === '__proto__.isAdmin', setNestedProperty walks into Object.prototype and assigns Object.prototype.isAdmin = compiledMessage.

The same sink is also reachable via JSONCodec.encode (JSONCodec.tsx:20-26) and POCodec (packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influenced message.id values into setNestedProperty — but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.

After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like if (obj.someFlag) or options[key] ?? default that are sensitive to polluted prototypes.

Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages — any of which can carry a crafted __proto__ key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.

PoC

Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:

// next.config.ts
import createNextIntlPlugin from 'next-intl/plugin';

const withNextIntl = createNextIntlPlugin({
  experimental: {
    messages: {
      path: './messages',
      format: 'json',
      locales: 'infer',
      precompile: true
    }
  }
});

export default withNextIntl({});
  1. Drop a malicious catalog at messages/en.json:

json { "Greeting": "Hello", "__proto__": { "isAdmin": "polluted" } }

  1. Run next build (or next dev). The catalogLoader will invoke JSONCodec.decodetraverseMessagesprecompileMessagessetNestedProperty.

  2. Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):

```js function setNestedProperty(obj, keyPath, value) { const keys = keyPath.split('.'); let current = obj; for (let i = 0; i < keys.length - 1; i++) { const key = keys[i]; if (!(key in current) || typeof current[key] !== 'object' || current[key] === null) { current[key] = {}; } current = current[key]; } current[keys[keys.length - 1]] = value; }

setNestedProperty({}, 'proto.isAdmin', 'PWNED'); console.log(({}).isAdmin); // -> "PWNED" ```

Output: PWNED.

  1. Full chain reproduction (also verified):

js const parsed = JSON.parse('{"Greeting":"Hello","__proto__":{"isAdmin":"polluted"}}'); // traverseMessages emits: [{id:"Greeting",message:"Hello"},{id:"__proto__.isAdmin",message:"polluted"}] // precompileMessages then calls setNestedProperty(result, "__proto__.isAdmin", "polluted") console.log(({}).isAdmin); // -> "polluted"

After the loader runs, ({}).isAdmin === 'polluted' for the remainder of the build Node process.

Impact

  • Object.prototype is polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).
  • Classic CWE-1321 gadget-chain precondition: downstream tools that branch on obj.someFlag, options[key] ?? default, if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles.
  • Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages — all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.
  • Exploitation requires the user to opt in to the experimental.messages + precompile configuration. Users who do not use the extractor/precompile features are not affected.

Recommended Fix

Reject reserved keys in setNestedProperty and stop using the in operator for the existence check. A minimal patch to packages/next-intl/src/extractor/utils.tsx:

const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);

export function setNestedProperty(
  obj: Record<string, any>,
  keyPath: string,
  value: any
): void {
  const keys = keyPath.split('.');
  for (const key of keys) {
    if (FORBIDDEN_KEYS.has(key)) {
      throw new Error(`Invalid message id segment: ${key}`);
    }
  }

  let current = obj;
  for (let i = 0; i < keys.length - 1; i++) {
    const key = keys[i];
    if (
      !Object.prototype.hasOwnProperty.call(current, key) ||
      typeof current[key] !== 'object' ||
      current[key] === null
    ) {
      current[key] = Object.create(null);
    }
    current = current[key];
  }

  current[keys[keys.length - 1]] = value;
}

Additionally:

  • In packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, make traverseMessages skip reserved keys (or switch to Object.create(null) + Object.hasOwn semantics) so that a malicious catalog is rejected early with a clear error rather than producing __proto__.* message ids.
  • In packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initialize precompileMessages’s result with Object.create(null) as defense in depth, so even if a key slipped through it could not redirect through Object.prototype.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.9.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "next-intl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T17:34:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`setNestedProperty` in `packages/next-intl/src/extractor/utils.tsx` walks a dotted key path and assigns the final value without blocking the reserved keys `__proto__`, `constructor`, or `prototype`. When the next-intl Next.js plugin is configured with `experimental.messages` and `messages.precompile: true`, a JSON translation catalog containing a top\u2011level `__proto__` key causes `setNestedProperty(result, \u0027__proto__.isAdmin\u0027, compiledMessage)` to assign onto `Object.prototype`, polluting every object in the running build process.\n\n## Details\n\nRoot cause \u2014 `packages/next-intl/src/extractor/utils.tsx:13-34`:\n\n```ts\nexport function setNestedProperty(\n  obj: Record\u003cstring, any\u003e,\n  keyPath: string,\n  value: any\n): void {\n  const keys = keyPath.split(\u0027.\u0027);\n  let current = obj;\n\n  for (let i = 0; i \u003c keys.length - 1; i++) {\n    const key = keys[i];\n    if (\n      !(key in current) ||\n      typeof current[key] !== \u0027object\u0027 ||\n      current[key] === null\n    ) {\n      current[key] = {};\n    }\n    current = current[key];\n  }\n\n  current[keys[keys.length - 1]] = value;\n}\n```\n\nThe existence check `!(key in current)` uses the `in` operator, which walks the prototype chain. For `key === \u0027__proto__\u0027`, `\u0027__proto__\u0027 in {}` is `true` (it\u0027s inherited from `Object.prototype`) and `typeof current[\u0027__proto__\u0027] === \u0027object\u0027` (it *is* `Object.prototype`). The guard therefore never re-initializes `current[key]`, and `current = current[\u0027__proto__\u0027]` redirects all subsequent writes onto `Object.prototype`. The final assignment `current[keys[keys.length-1]] = value` sets `Object.prototype[\u003cattacker key\u003e] = \u003cattacker value\u003e`.\n\nBuild-time data flow:\n\n1. `packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83` \u2014 the webpack/turbopack loader receives the catalog file `source` and, if `options.messages.precompile` is enabled, calls `codec.decode(source, {locale})`.\n2. `packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18` \u2014 `decode` runs `JSON.parse(source)`. V8 installs `__proto__` as an **own data property** on the result when the JSON key is literally `\"__proto__\"` (bypassing the normal `Object.prototype.__proto__` setter that would otherwise reassign the prototype).\n3. `JSONCodec.tsx:33-53` \u2014 `traverseMessages` iterates `Object.keys(obj)`, which for a JSON\u2011parsed object includes the own `__proto__` key. It reads `obj.__proto__` (returns the attacker\u2019s nested object, not `Object.prototype`, because it\u0027s an own property), recurses into it, and emits message id `__proto__.isAdmin`.\n4. `catalogLoader.tsx:71` \u2014 `precompileMessages(decoded, cache)`.\n5. `catalogLoader.tsx:89-131` \u2014 for each message, calls `setNestedProperty(result, message.id, compiledMessage)`. With `message.id === \u0027__proto__.isAdmin\u0027`, `setNestedProperty` walks into `Object.prototype` and assigns `Object.prototype.isAdmin = compiledMessage`.\n\nThe same sink is also reachable via `JSONCodec.encode` (`JSONCodec.tsx:20-26`) and `POCodec` (`packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87`) during extraction, both of which feed attacker-influenced `message.id` values into `setNestedProperty` \u2014 but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.\n\nAfter pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl\u2019s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like `if (obj.someFlag)` or `options[key] ?? default` that are sensitive to polluted prototypes.\n\nTrust boundary note: next-intl\u2019s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages \u2014 any of which can carry a crafted `__proto__` key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.\n\n## PoC\n\nPrerequisites: a Next.js project using next-intl \u2264 4.9.1 with the Next.js plugin configured:\n\n```ts\n// next.config.ts\nimport createNextIntlPlugin from \u0027next-intl/plugin\u0027;\n\nconst withNextIntl = createNextIntlPlugin({\n  experimental: {\n    messages: {\n      path: \u0027./messages\u0027,\n      format: \u0027json\u0027,\n      locales: \u0027infer\u0027,\n      precompile: true\n    }\n  }\n});\n\nexport default withNextIntl({});\n```\n\n1. Drop a malicious catalog at `messages/en.json`:\n\n   ```json\n   {\n     \"Greeting\": \"Hello\",\n     \"__proto__\": { \"isAdmin\": \"polluted\" }\n   }\n   ```\n\n2. Run `next build` (or `next dev`). The `catalogLoader` will invoke `JSONCodec.decode` \u2192 `traverseMessages` \u2192 `precompileMessages` \u2192 `setNestedProperty`.\n\n3. Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):\n\n   ```js\n   function setNestedProperty(obj, keyPath, value) {\n     const keys = keyPath.split(\u0027.\u0027);\n     let current = obj;\n     for (let i = 0; i \u003c keys.length - 1; i++) {\n       const key = keys[i];\n       if (!(key in current) || typeof current[key] !== \u0027object\u0027 || current[key] === null) {\n         current[key] = {};\n       }\n       current = current[key];\n     }\n     current[keys[keys.length - 1]] = value;\n   }\n\n   setNestedProperty({}, \u0027__proto__.isAdmin\u0027, \u0027PWNED\u0027);\n   console.log(({}).isAdmin); // -\u003e \"PWNED\"\n   ```\n\n   Output: `PWNED`.\n\n4. Full chain reproduction (also verified):\n\n   ```js\n   const parsed = JSON.parse(\u0027{\"Greeting\":\"Hello\",\"__proto__\":{\"isAdmin\":\"polluted\"}}\u0027);\n   // traverseMessages emits: [{id:\"Greeting\",message:\"Hello\"},{id:\"__proto__.isAdmin\",message:\"polluted\"}]\n   // precompileMessages then calls setNestedProperty(result, \"__proto__.isAdmin\", \"polluted\")\n   console.log(({}).isAdmin); // -\u003e \"polluted\"\n   ```\n\n   After the loader runs, `({}).isAdmin === \u0027polluted\u0027` for the remainder of the build Node process.\n\n## Impact\n\n- `Object.prototype` is polluted for the lifetime of the build\u2011time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl\u2019s own codecs, user plugins).\n- Classic CWE-1321 gadget-chain precondition: downstream tools that branch on `obj.someFlag`, `options[key] ?? default`, `if (!config.noX)`, etc. can be coerced into unintended behavior, including emitting tampered bundles.\n- Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages \u2014 all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.\n- Exploitation requires the user to opt in to the `experimental.messages` + `precompile` configuration. Users who do not use the extractor/precompile features are not affected.\n\n## Recommended Fix\n\nReject reserved keys in `setNestedProperty` and stop using the `in` operator for the existence check. A minimal patch to `packages/next-intl/src/extractor/utils.tsx`:\n\n```ts\nconst FORBIDDEN_KEYS = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\n\nexport function setNestedProperty(\n  obj: Record\u003cstring, any\u003e,\n  keyPath: string,\n  value: any\n): void {\n  const keys = keyPath.split(\u0027.\u0027);\n  for (const key of keys) {\n    if (FORBIDDEN_KEYS.has(key)) {\n      throw new Error(`Invalid message id segment: ${key}`);\n    }\n  }\n\n  let current = obj;\n  for (let i = 0; i \u003c keys.length - 1; i++) {\n    const key = keys[i];\n    if (\n      !Object.prototype.hasOwnProperty.call(current, key) ||\n      typeof current[key] !== \u0027object\u0027 ||\n      current[key] === null\n    ) {\n      current[key] = Object.create(null);\n    }\n    current = current[key];\n  }\n\n  current[keys[keys.length - 1]] = value;\n}\n```\n\nAdditionally:\n\n- In `packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx`, make `traverseMessages` skip reserved keys (or switch to `Object.create(null)` + `Object.hasOwn` semantics) so that a malicious catalog is rejected early with a clear error rather than producing `__proto__.*` message ids.\n- In `packages/next-intl/src/plugin/catalog/catalogLoader.tsx`, initialize `precompileMessages`\u2019s `result` with `Object.create(null)` as defense in depth, so even if a key slipped through it could not redirect through `Object.prototype`.",
  "id": "GHSA-4c35-wcg5-mm9h",
  "modified": "2026-05-06T17:34:12Z",
  "published": "2026-05-06T17:34:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/amannn/next-intl/security/advisories/GHSA-4c35-wcg5-mm9h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/amannn/next-intl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys"
}

GHSA-4CPG-3VGW-4877

Vulnerability from github – Published: 2022-02-18 00:00 – Updated: 2022-07-21 16:20
VLAI
Summary
Prototype pollution in Plist before 3.0.5 can cause denial of service
Details

Prototype pollution vulnerability via .parse() in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "plist"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-22912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-22T15:34:44Z",
    "nvd_published_at": "2022-02-17T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability via `.parse()` in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.",
  "id": "GHSA-4cpg-3vgw-4877",
  "modified": "2022-07-21T16:20:00Z",
  "published": "2022-02-18T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22912"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TooTallNate/plist.js/issues/114"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TooTallNate/plist.js/pull/118"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TooTallNate/plist.js/commit/96e2303d059e6be0c9e0c4773226d14b4758de52"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TooTallNate/plist.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in Plist before 3.0.5 can cause denial of service"
}

GHSA-4FR2-J4G9-MPPF

Vulnerability from github – Published: 2021-09-24 15:42 – Updated: 2023-09-07 22:37
VLAI
Summary
Prototype Pollution in deephas
Details

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deephas"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-26T18:25:52Z",
    "nvd_published_at": "2020-11-12T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027deephas\u0027 versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-4fr2-j4g9-mppf",
  "modified": "2023-09-07T22:37:35Z",
  "published": "2021-09-24T15:42:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28271"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sharpred/deepHas/commit/2fe011713a6178c50f7deb6f039a8e5435981e20"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28271"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28271,"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in deephas"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.