Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-737V-MQG7-C878

Vulnerability from github – Published: 2026-04-04 06:17 – Updated: 2026-04-06 23:42
VLAI
Summary
defu: Prototype pollution via `__proto__` key in defaults argument
Details

Impact

Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to defu() are vulnerable to prototype pollution.

A crafted payload containing a __proto__ key can override intended default values in the merged result:

import { defu } from 'defu'

const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}')
const config = defu(userInput, { isAdmin: false })

config.isAdmin // true — attacker overrides the server default

Root Cause

The internal _defu function used Object.assign({}, defaults) to copy the defaults object. Object.assign invokes the __proto__ setter, which replaces the resulting object's [[Prototype]] with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing __proto__ key guard in the for...in loop and land in the final result.

Fix

Replace Object.assign({}, defaults) with object spread ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the __proto__ setter.

Affected Versions

<= 6.1.4

Credits

Reported by @BlackHatExploitation

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.1.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "defu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:17:53Z",
    "nvd_published_at": "2026-04-06T18:16:44Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nApplications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution.\n\nA crafted payload containing a `__proto__` key can override intended default values in the merged result:\n\n```js\nimport { defu } from \u0027defu\u0027\n\nconst userInput = JSON.parse(\u0027{\"__proto__\":{\"isAdmin\":true}}\u0027)\nconst config = defu(userInput, { isAdmin: false })\n\nconfig.isAdmin // true \u2014 attacker overrides the server default\n```\n\n### Root Cause\n\nThe internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object\u0027s `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result.\n\n### Fix\n\nReplace `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter.\n\n### Affected Versions\n\n\u003c= 6.1.4\n\n### Credits\n\nReported by [@BlackHatExploitation](https://github.com/BlackHatExploitation)",
  "id": "GHSA-737v-mqg7-c878",
  "modified": "2026-04-06T23:42:28Z",
  "published": "2026-04-04T06:17:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unjs/defu/pull/156"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unjs/defu/commit/3942bfbbcaa72084bd4284846c83bd61ed7c8b29"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/unjs/defu"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unjs/defu/releases/tag/v6.1.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "defu: Prototype pollution via `__proto__` key in defaults argument"
}

GHSA-74CR-77XC-8G6R

Vulnerability from github – Published: 2019-06-13 20:37 – Updated: 2021-08-16 15:28
VLAI
Summary
Prototype Pollution in @apollo/gateway
Details

Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge() to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.

Recommendation

Upgrade to version 0.6.2 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@apollo/gateway"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-13T20:37:08Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `@apollo/gateway` prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge() to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.\n\n\n## Recommendation\n\nUpgrade to version 0.6.2 or later.\n",
  "id": "GHSA-74cr-77xc-8g6r",
  "modified": "2021-08-16T15:28:22Z",
  "published": "2019-06-13T20:37:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/apollo-server/pull/2779"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/apollo-server/commit/cea7397582a293af6a5f60947da34b95e669c6c1"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-APOLLOGATEWAY-174915"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in @apollo/gateway"
}

GHSA-75MV-GP69-2CQM

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-12-02 21:30
VLAI
Details

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-07T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.",
  "id": "GHSA-75mv-gp69-2cqm",
  "modified": "2022-12-02T21:30:46Z",
  "published": "2022-05-24T16:58:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17315"
    },
    {
      "type": "WEB",
      "url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75PX-5XX7-5XC7

Vulnerability from github – Published: 2026-05-12 15:01 – Updated: 2026-05-14 20:35
VLAI
Summary
protobuf.js: Code generation gadget after prototype pollution
Details

Summary

protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.

This could cause attacker-controlled strings to be emitted into generated JavaScript code.

Impact

An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.

This issue requires a separate prototype pollution primitive before protobufjs is invoked.

Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.

Preconditions

  • The application or one of its dependencies must allow an attacker to pollute Object.prototype.
  • The polluted property must affect protobufjs internal type lookup behavior.
  • The application must use protobufjs functionality that generates encode or decode code for affected types.
  • The generated code path must be reached after the prototype pollution has occurred.

Workarounds

Avoid running affected versions in applications where attacker-controlled input can pollute Object.prototype. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.5.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:01:24Z",
    "nvd_published_at": "2026-05-13T16:16:55Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nprotobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If `Object.prototype` had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.\n\nThis could cause attacker-controlled strings to be emitted into generated JavaScript code.\n\n## Impact\n\nAn attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.\n\nThis issue requires a separate prototype pollution primitive before protobufjs is invoked.\n\nApplications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.\n\n## Preconditions\n\n- The application or one of its dependencies must allow an attacker to pollute `Object.prototype`.\n- The polluted property must affect protobufjs internal type lookup behavior.\n- The application must use protobufjs functionality that generates encode or decode code for affected types.\n- The generated code path must be reached after the prototype pollution has occurred.\n\n## Workarounds\n\nAvoid running affected versions in applications where attacker-controlled input can pollute `Object.prototype`. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.",
  "id": "GHSA-75px-5xx7-5xc7",
  "modified": "2026-05-14T20:35:15Z",
  "published": "2026-05-12T15:01:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44291"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/protobufjs/protobuf.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "protobuf.js: Code generation gadget after prototype pollution"
}

GHSA-765H-QJXV-5F44

Vulnerability from github – Published: 2022-02-10 23:51 – Updated: 2023-11-29 20:30
VLAI
Summary
Prototype Pollution in handlebars
Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "handlebars"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.7.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-19T21:17:59Z",
    "nvd_published_at": "2021-05-04T09:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.",
  "id": "GHSA-765h-qjxv-5f44",
  "modified": "2023-11-29T20:30:56Z",
  "published": "2022-02-10T23:51:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383"
    },
    {
      "type": "WEB",
      "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/handlebars-lang/handlebars.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210618-0007"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/handlebars"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in handlebars"
}

GHSA-76G8-235F-GJ6P

Vulnerability from github – Published: 2025-09-25 15:30 – Updated: 2025-09-26 13:04
VLAI
Summary
dref is vulnerable to prototype pollution
Details

A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dref"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-26278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-26T13:04:47Z",
    "nvd_published_at": "2025-09-25T14:15:43Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-76g8-235f-gj6p",
  "modified": "2025-09-26T13:04:47Z",
  "published": "2025-09-25T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26278"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/ad92d5e683f3a5d83e0629955ff42ad7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OrangeShieldInfos/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-26278"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "dref is vulnerable to prototype pollution"
}

GHSA-76P3-8JX3-JPFQ

Vulnerability from github – Published: 2022-10-13 12:00 – Updated: 2022-11-04 20:29
VLAI
Summary
Prototype pollution in webpack loader-utils
Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "loader-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "loader-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-04T20:29:12Z",
    "nvd_published_at": "2022-10-12T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.",
  "id": "GHSA-76p3-8jx3-jpfq",
  "modified": "2022-11-04T20:29:12Z",
  "published": "2022-10-13T12:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37601"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/issues/212"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/pull/217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/pull/220"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/commit/4504e34c4796a5836ef70458327351675aed48a5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/commit/f4e48a232fae900237c3e5ff7b57ce9e1c734de1"
    },
    {
      "type": "WEB",
      "url": "https://dl.acm.org/doi/abs/10.1145/3488932.3497769"
    },
    {
      "type": "WEB",
      "url": "https://dl.acm.org/doi/pdf/10.1145/3488932.3497769"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/webpack/loader-utils"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/releases/tag/v1.4.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/releases/tag/v2.0.3"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html"
    },
    {
      "type": "WEB",
      "url": "http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in webpack loader-utils"
}

GHSA-776F-QX25-Q3CC

Vulnerability from github – Published: 2023-04-05 21:30 – Updated: 2025-02-13 22:08
VLAI
Summary
xml2js is vulnerable to prototype pollution
Details

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "xml2js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-0842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-07T21:00:54Z",
    "nvd_published_at": "2023-04-05T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.",
  "id": "GHSA-776f-qx25-q3cc",
  "modified": "2025-02-13T22:08:55Z",
  "published": "2023-04-05T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0842"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Leonidas-from-XIV/node-xml2js/issues/663"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/myers"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Leonidas-from-XIV/node-xml2js"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "xml2js is vulnerable to prototype pollution"
}

GHSA-779F-WGXG-QR8F

Vulnerability from github – Published: 2020-09-03 18:10 – Updated: 2020-08-31 18:46
VLAI
Summary
Prototype Pollution in lodash.mergewith
Details

Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.6.2 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.mergewith"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:46:16Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `lodash.mergewith` before 4.6.2 are vulnerable to prototype pollution. The function `mergeWith` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.6.2 or later.",
  "id": "GHSA-779f-wgxg-qr8f",
  "modified": "2020-08-31T18:46:16Z",
  "published": "2020-09-03T18:10:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1071"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in lodash.mergewith"
}

GHSA-77XQ-CPVG-7XM2

Vulnerability from github – Published: 2021-05-10 19:07 – Updated: 2023-09-05 22:45
VLAI
Summary
Prototype pollution in @tsed/core
Details

This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@tsed/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.65.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-20T17:41:36Z",
    "nvd_published_at": "2020-10-20T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package @tsed/core before 5.65.7. This vulnerability relates to the `deepExtend` function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.",
  "id": "GHSA-77xq-cpvg-7xm2",
  "modified": "2023-09-05T22:45:47Z",
  "published": "2021-05-10T19:07:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7748"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TypedProject/tsed/commit/1395773ddac35926cf058fc6da9fb8e82266761b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TypedProject/tsed/blob/production/packages/core/src/utils/deepExtends.ts%23L36"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tsedio/tsed"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-TSEDCORE-1019382"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in @tsed/core"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.