CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-65FC-CR5F-V7R2
Vulnerability from github – Published: 2025-08-04 16:07 – Updated: 2025-08-05 17:11A prototype pollution vulnerability in js-toml allows a remote attacker to add or modify properties of the global Object.prototype by parsing a maliciously crafted TOML input.
Impact
The js-toml library is vulnerable to Prototype Pollution. When parsing a TOML string containing the specially crafted key __proto__, an attacker can add or modify properties on the global Object.prototype.
While the js-toml library itself does not contain known vulnerable "gadgets", this can lead to severe security vulnerabilities in applications that use the library. For example, if the consuming application checks for the existence of a property for authorization purposes (e.g., user.isAdmin), this vulnerability could be escalated to an authentication bypass. Other potential impacts in the application include Denial of Service (DoS) or, in some cases, Remote Code Execution (RCE), depending on the application's logic and dependencies.
Any application that uses an affected version of js-toml to parse untrusted input is vulnerable. The severity of the impact, ranging from unexpected behavior to a full security compromise, is dependent on the application's specific code and its handling of object properties.
Patches
This vulnerability has been patched in version 1.0.2.
All users are advised to upgrade to version 1.0.2 or later to mitigate this issue. Users of all prior versions are affected.
Workarounds
If you are unable to upgrade to a patched version, the only mitigation is to ensure that any TOML input being passed to the js-toml library is from a fully trusted source and has been validated to not contain malicious keys.
References
-
This vulnerability was discovered and responsibly disclosed by siunam.
-
The Proof-of-Concept can be found at this Gist: https://gist.github.com/siunam321/f3dc4d21a5a932c67b6c11d0026f5afc
-
For more information on Prototype Pollution, see PortSwigger's explanation: https://portswigger.net/web-security/prototype-pollution
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "js-toml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54803"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-04T16:07:05Z",
"nvd_published_at": "2025-08-05T01:15:42Z",
"severity": "HIGH"
},
"details": "A prototype pollution vulnerability in `js-toml` allows a remote attacker to add or modify properties of the global `Object.prototype` by parsing a maliciously crafted TOML input.\n\n### Impact\n\nThe `js-toml` library is vulnerable to Prototype Pollution. When parsing a TOML string containing the specially crafted key `__proto__`, an attacker can add or modify properties on the global `Object.prototype`.\n\nWhile the `js-toml` library itself does not contain known vulnerable \"gadgets\", this can lead to severe security vulnerabilities in applications that use the library. For example, if the consuming application checks for the existence of a property for authorization purposes (e.g., `user.isAdmin`), this vulnerability could be escalated to an authentication bypass. Other potential impacts in the application include Denial of Service (DoS) or, in some cases, Remote Code Execution (RCE), depending on the application\u0027s logic and dependencies.\n\nAny application that uses an affected version of `js-toml` to parse untrusted input is vulnerable. The severity of the impact, ranging from unexpected behavior to a full security compromise, is dependent on the application\u0027s specific code and its handling of object properties.\n\n### Patches\n\nThis vulnerability has been patched in version `1.0.2`.\n\nAll users are advised to upgrade to version `1.0.2` or later to mitigate this issue. Users of all prior versions are affected.\n\n### Workarounds\n\nIf you are unable to upgrade to a patched version, the only mitigation is to ensure that any TOML input being passed to the `js-toml` library is from a fully trusted source and has been validated to not contain malicious keys.\n\n### References\n\n- This vulnerability was discovered and responsibly disclosed by [siunam](https://github.com/siunam321).\n\n* The Proof-of-Concept can be found at this Gist: https://gist.github.com/siunam321/f3dc4d21a5a932c67b6c11d0026f5afc\n\n- For more information on Prototype Pollution, see PortSwigger\u0027s explanation: https://portswigger.net/web-security/prototype-pollution",
"id": "GHSA-65fc-cr5f-v7r2",
"modified": "2025-08-05T17:11:05Z",
"published": "2025-08-04T16:07:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sunnyadn/js-toml/security/advisories/GHSA-65fc-cr5f-v7r2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54803"
},
{
"type": "WEB",
"url": "https://github.com/sunnyadn/js-toml/commit/b125910a3f094b744c9c3571360d4b9e3a472f66"
},
{
"type": "WEB",
"url": "https://gist.github.com/siunam321/f3dc4d21a5a932c67b6c11d0026f5afc"
},
{
"type": "PACKAGE",
"url": "https://github.com/sunnyadn/js-toml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "js-toml Prototype Pollution Vulnerability"
}
GHSA-65P9-J6PG-72HJ
Vulnerability from github – Published: 2025-06-04 03:30 – Updated: 2025-07-29 21:42billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "billboard.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49223"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-29T21:42:33Z",
"nvd_published_at": "2025-06-04T03:15:27Z",
"severity": "CRITICAL"
},
"details": "billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-65p9-j6pg-72hj",
"modified": "2025-07-29T21:42:33Z",
"published": "2025-06-04T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49223"
},
{
"type": "WEB",
"url": "https://github.com/naver/billboard.js/commit/82ea7ac4f5720d6a7f0c2fa5a5dad51a549667bb"
},
{
"type": "WEB",
"url": "https://cve.naver.com/detail/cve-2025-49223.html"
},
{
"type": "WEB",
"url": "https://github.com/louay-075/CVE-2025-49223-BillboardJS-PoC"
},
{
"type": "PACKAGE",
"url": "https://github.com/naver/billboard.js"
},
{
"type": "WEB",
"url": "https://github.com/naver/billboard.js/blob/938f263feca453fba5a4dc48d86b32cc5b509443/src/core.ts#L95"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "billboard.js allows prototype pollution via the function generate"
}
GHSA-65RP-MHQF-8GJ3
Vulnerability from github – Published: 2023-02-24 06:30 – Updated: 2023-03-03 00:12All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "rangy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26102"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-24T16:23:36Z",
"nvd_published_at": "2023-02-24T05:15:00Z",
"severity": "HIGH"
},
"details": "All versions of the package rangy are vulnerable to Prototype Pollution when using the `extend()` function in file `rangy-core.js`.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype.",
"id": "GHSA-65rp-mhqf-8gj3",
"modified": "2023-03-03T00:12:19Z",
"published": "2023-02-24T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26102"
},
{
"type": "WEB",
"url": "https://github.com/timdown/rangy/issues/478"
},
{
"type": "PACKAGE",
"url": "https://github.com/timdown/rangy"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-RANGY-3175702"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "rangy vulnerable to Prototype Pollution"
}
GHSA-66RH-8FW6-59Q6
Vulnerability from github – Published: 2019-08-21 16:15 – Updated: 2022-08-03 16:21Versions of assign-deep prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The assign function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
Recommendation
Upgrade to versions 1.0.1, 0.4.8, or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "assign-deep"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "assign-deep"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0"
]
}
],
"aliases": [
"CVE-2019-10745"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2019-08-21T15:53:43Z",
"nvd_published_at": "2019-08-20T19:15:00Z",
"severity": "HIGH"
},
"details": "Versions of `assign-deep` prior to 1.0.1 and 0.4.8 are vulnerable to Prototype Pollution. The `assign` function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.\n\n## Recommendation\n\nUpgrade to versions 1.0.1, 0.4.8, or later.",
"id": "GHSA-66rh-8fw6-59q6",
"modified": "2022-08-03T16:21:27Z",
"published": "2019-08-21T16:15:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10745"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/assign-deep/commit/8e3cc4a34246733672c71e96532105384937e56c"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/assign-deep/commit/90bf1c551d05940898168d04066bbf15060f50cc"
},
{
"type": "PACKAGE",
"url": "https://github.com/jonschlinkert/assign-deep"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-ASSIGNDEEP-450211"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "assign-deep Vulnerable to Prototype Pollution"
}
GHSA-675M-85RW-J3W4
Vulnerability from github – Published: 2019-02-07 18:17 – Updated: 2023-09-07 18:30Versions of just-extend before 4.0.0 are vulnerable to prototype pollution. Provided certain input just-extend can add or modify properties of the Object prototype. These properties will be present on all objects.
Recommendation
Update to version 4.0.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "just-extend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-16489"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:18:13Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Versions of `just-extend` before 4.0.0 are vulnerable to prototype pollution. Provided certain input `just-extend` can add or modify properties of the `Object` prototype. These properties will be present on all objects.\n\n\n## Recommendation\n\nUpdate to version `4.0.0` or later.",
"id": "GHSA-675m-85rw-j3w4",
"modified": "2023-09-07T18:30:55Z",
"published": "2019-02-07T18:17:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16489"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/430291"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-675m-85rw-j3w4"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/780"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in just-extend"
}
GHSA-67MQ-H2R9-RH2M
Vulnerability from github – Published: 2021-04-13 15:23 – Updated: 2022-12-03 03:51This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "multi-ini"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28460"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-07T23:23:09Z",
"nvd_published_at": "2020-12-22T13:15:00Z",
"severity": "MODERATE"
},
"details": "This affects the package multi-ini before 2.1.2. It is possible to pollute an object\u0027s prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.",
"id": "GHSA-67mq-h2r9-rh2m",
"modified": "2022-12-03T03:51:28Z",
"published": "2021-04-13T15:23:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28460"
},
{
"type": "WEB",
"url": "https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in multi-ini"
}
GHSA-6956-83FG-5WC5
Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-03-29 21:05The package set-in before 2.0.3 is vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. Note: This vulnerability derives from an incomplete fix of CVE-2020-28273
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "set-in"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25354"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-18T22:42:31Z",
"nvd_published_at": "2022-03-17T12:15:00Z",
"severity": "CRITICAL"
},
"details": "The package set-in before 2.0.3 is vulnerable to Prototype Pollution via the `setIn` method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)",
"id": "GHSA-6956-83fg-5wc5",
"modified": "2022-03-29T21:05:15Z",
"published": "2022-03-18T00:01:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25354"
},
{
"type": "WEB",
"url": "https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24"
},
{
"type": "PACKAGE",
"url": "https://github.com/ahdinosaur/set-in"
},
{
"type": "WEB",
"url": "https://github.com/ahdinosaur/set-in/blob/dfc226d95cce8129de6708661e06e0c2c06f3490/index.js%23L5"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SETIN-2388571"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in set-in"
}
GHSA-69R2-2FG7-7HF9
Vulnerability from github – Published: 2024-06-17 15:30 – Updated: 2024-08-02 15:48A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@abw/badger-database"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36581"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-17T21:37:51Z",
"nvd_published_at": "2024-06-17T15:15:51Z",
"severity": "HIGH"
},
"details": "A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.",
"id": "GHSA-69r2-2fg7-7hf9",
"modified": "2024-08-02T15:48:36Z",
"published": "2024-06-17T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36581"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/f6b2ed1b3b4bc0df994c7455fc6110bd"
},
{
"type": "PACKAGE",
"url": "https://github.com/abw/badger-database-js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Badger Database Prototype Pollution"
}
GHSA-6C3J-C64M-QHGQ
Vulnerability from github – Published: 2019-04-26 16:29 – Updated: 2024-11-05 20:16jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jquery"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.4"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "jquery-rails"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "jQuery"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.4"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "django"
},
"ranges": [
{
"events": [
{
"introduced": "2.0a1"
},
{
"fixed": "2.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "django"
},
"ranges": [
{
"events": [
{
"introduced": "2.2a1"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.webjars.npm:jquery"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.4"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "maximebf/debugbar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11358"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2019-04-26T16:28:41Z",
"nvd_published_at": "2019-04-20T00:29:00Z",
"severity": "MODERATE"
},
"details": "jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype`.",
"id": "GHSA-6c3j-c64m-qhgq",
"modified": "2024-11-05T20:16:55Z",
"published": "2019-04-26T16:29:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"type": "WEB",
"url": "https://github.com/maximebf/php-debugbar/issues/447"
},
{
"type": "WEB",
"url": "https://github.com/jquery/jquery/pull/4333"
},
{
"type": "WEB",
"url": "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad"
},
{
"type": "WEB",
"url": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Apr/32"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Jun/12"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/18"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2020-02"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2019-08"
},
{
"type": "WEB",
"url": "https://www.synology.com/security/advisory/Synology_SA_19_19"
},
{
"type": "WEB",
"url": "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2019-006"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4460"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4434"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JQUERY-174006"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190919-0001"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml"
},
{
"type": "WEB",
"url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434"
},
{
"type": "PACKAGE",
"url": "https://github.com/jquery/jquery"
},
{
"type": "WEB",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released"
},
{
"type": "WEB",
"url": "https://backdropcms.org/security/backdrop-sa-core-2019-009"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3024"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3023"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2587"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:1570"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/May/10"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/May/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/May/13"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/06/03/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "XSS in jQuery as used in Drupal, Backdrop CMS, and other products"
}
GHSA-6C59-MWGH-R2X6
Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-02-05 16:14The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jsonpath"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61140"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T14:09:06Z",
"nvd_published_at": "2026-01-28T16:16:13Z",
"severity": "MODERATE"
},
"details": "The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.",
"id": "GHSA-6c59-mwgh-r2x6",
"modified": "2026-02-05T16:14:30Z",
"published": "2026-01-28T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61140"
},
{
"type": "WEB",
"url": "https://github.com/dchester/jsonpath/issues/181"
},
{
"type": "WEB",
"url": "https://github.com/dchester/jsonpath/issues/194"
},
{
"type": "WEB",
"url": "https://github.com/dchester/jsonpath/pull/195"
},
{
"type": "WEB",
"url": "https://github.com/dchester/jsonpath/commit/9631412641b7095f86840a7a45b5b3afc68b0fcb"
},
{
"type": "WEB",
"url": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d"
},
{
"type": "PACKAGE",
"url": "https://github.com/dchester/jsonpath"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.