Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

781 vulnerabilities reference this CWE, most recent first.

GHSA-8GW3-RXH4-V6JX

Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-17 18:39
VLAI
Summary
expr-eval vulnerable to Prototype Pollution
Details

npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "expr-eval"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "expr-eval-fork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-17T18:39:19Z",
    "nvd_published_at": "2025-11-14T17:16:01Z",
    "severity": "HIGH"
  },
  "details": "npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.",
  "id": "GHSA-8gw3-rxh4-v6jx",
  "modified": "2025-11-17T18:39:19Z",
  "published": "2025-11-14T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13204"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silentmatt/expr-eval/pull/252/files"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jorenbroekema/expr-eval/commit/6c475a118643ae0efe012de283e932fb8b74324b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silentmatt/expr-eval/commit/6e889e0e75c50ac37d70c35388602025650e0c50"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SECCON/SECCON2022_final_CTF/blob/main/jeopardy/web/babybox/solver/solver.py"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jorenbroekema/expr-eval"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/silentmatt/expr-eval"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vladko312/extras/blob/f549d505af300fd74a01b46fab2102990ff1c14d/expr-eval.py"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/1-npm-expr-eval"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/expr-eval-fork"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "expr-eval vulnerable to Prototype Pollution"
}

GHSA-8GWJ-8HXC-285W

Vulnerability from github – Published: 2021-11-08 17:43 – Updated: 2021-11-08 17:43
VLAI
Summary
Prototype Pollution in json-ptr
Details

This affects the package json-ptr before 3.0.0. A type confusion vulnerability can lead to a bypass of CVE-2020-7766 when the user-provided keys used in the pointer parameter are arrays.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "json-ptr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-04T16:56:49Z",
    "nvd_published_at": "2021-11-03T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package `json-ptr` before `3.0.0`. A type confusion vulnerability can lead to a bypass of CVE-2020-7766 when the user-provided keys used in the pointer parameter are arrays.",
  "id": "GHSA-8gwj-8hxc-285w",
  "modified": "2021-11-08T17:43:16Z",
  "published": "2021-11-08T17:43:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23509"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flitbit/json-ptr/pull/42"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flitbit/json-ptr/commit/5dc458fbad1c382a2e3ca6d62e66ede3d92849ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flitbit/json-ptr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flitbit/json-ptr%23security-vulnerabilities-resolved"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSONPTR-1577291"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in json-ptr"
}

GHSA-8HQ9-PHH3-P2WP

Vulnerability from github – Published: 2026-03-17 16:17 – Updated: 2026-03-19 19:01
VLAI
Summary
Elysia Cookie Value Prototype Pollution
Details

Impact

Elysia cookie can be overridden by prototype pollution , eg. __proto__

Sending cookie with the follows name can override cookie value:

__proto__=%7B%22injected%22%3A%22polluted%22%7D

Patches

Patched by 1.4.27

Workarounds

  1. Use t.Cookie validation to enforce validation value
  2. Prevent iterable over cookie if possible
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "elysia"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T16:17:41Z",
    "nvd_published_at": "2026-03-18T04:17:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nElysia cookie can be overridden by prototype pollution , eg. `__proto__`\n\nSending cookie with the follows name can override cookie value:\n```bash\n__proto__=%7B%22injected%22%3A%22polluted%22%7D\n```\n\n### Patches\nPatched by 1.4.27\n\n### Workarounds\n1. Use t.Cookie validation to enforce validation value\n2. Prevent iterable over cookie if possible",
  "id": "GHSA-8hq9-phh3-p2wp",
  "modified": "2026-03-19T19:01:12Z",
  "published": "2026-03-17T16:17:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-8hq9-phh3-p2wp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31865"
    },
    {
      "type": "WEB",
      "url": "https://github.com/elysiajs/elysia/commit/e9d6b1743fa7368ef942dce181f6a089757f6aab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elysiajs/elysia"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Elysia Cookie Value Prototype Pollution"
}

GHSA-8J49-49JQ-VWCQ

Vulnerability from github – Published: 2020-09-04 15:15 – Updated: 2020-08-31 18:55
VLAI
Summary
Prototype Pollution in getsetdeep
Details

All versions of getsetdeep are vulnerable to prototype pollution. The setDeep() function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "getsetdeep"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:55:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "All versions of `getsetdeep` are vulnerable to prototype pollution. The `setDeep()` function does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
  "id": "GHSA-8j49-49jq-vwcq",
  "modified": "2020-08-31T18:55:30Z",
  "published": "2020-09-04T15:15:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1334"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in getsetdeep"
}

GHSA-8MMM-9V2Q-X3F9

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2024-04-22 23:15
VLAI
Summary
tschaub gh-pages vulnerable to prototype pollution
Details

Prototype pollution vulnerability in tschaub gh-pages via the partial variable in util.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "gh-pages"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T23:15:25Z",
    "nvd_published_at": "2022-10-12T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in tschaub gh-pages via the partial variable in util.js.",
  "id": "GHSA-8mmm-9v2q-x3f9",
  "modified": "2024-04-22T23:15:25Z",
  "published": "2022-10-12T12:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tschaub/gh-pages/issues/446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tschaub/gh-pages/pull/452"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tschaub/gh-pages"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tschaub/gh-pages/blob/e363b144defe8e555f5a54251a6f7f1297c0e3f6/lib/util.js#L16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "tschaub gh-pages vulnerable to prototype pollution"
}

GHSA-8MP8-28XH-R486

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2023-10-19 18:24
VLAI
Summary
keyget vulnerable to prototype pollution
Details

Overview

Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.

Details

The npm module 'keyget' can be abused by Prototype Pollution vulnerability since the function 'setByPath()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

The setByPath() function accepts three arguments target, path, value. Due to the absence of validation, at values passed into path, value an attacker can supply a malicious value by adjusting the path value to include the __proto__ property. Since there is no validation before assigning property to check whether the assigned path is the Object's own property or not, the property polluted will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate polluted the value would be substituted as "true" as it had been polluted.

PoC Code

var keyget = require("keyget")
 keyget.set({}, '__proto__.polluted', 'true');
 console.log(polluted); 
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "keyget"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-19T18:24:49Z",
    "nvd_published_at": "2020-12-02T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Overview\nPrototype pollution vulnerability in \u0027keyget\u0027 versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.\n\n### Details\nThe npm module \u0027keyget\u0027 can be abused by Prototype Pollution vulnerability since the function \u0027setByPath()\u0027 did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.\n\n### PoC Details\nThe `setByPath()` function accepts three arguments `target, path, value`. Due to the absence of validation, at values passed into `path, value` an attacker can supply a malicious value by adjusting the `path` value to include the `__proto__` property. Since there is no validation before assigning property to check whether the assigned `path` is the Object\u0027s own property or not, the property `polluted` will be directly be assigned to the empty obj({}) thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the value would be substituted as \"true\" as it had been polluted.\n\n### PoC Code\n```js\nvar keyget = require(\"keyget\")\n keyget.set({}, \u0027__proto__.polluted\u0027, \u0027true\u0027);\n console.log(polluted); \n```",
  "id": "GHSA-8mp8-28xh-r486",
  "modified": "2023-10-19T18:24:49Z",
  "published": "2022-05-24T17:35:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28272"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rumkin/keyget/commit/17d15b6c75036eb429075a8cfeccfc18094dd2e2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rumkin/keyget"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201207183211/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28272"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "keyget vulnerable to prototype pollution"
}

GHSA-8MQX-QM24-G4FH

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 15:30
VLAI
Details

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox \u003c 102, Firefox ESR \u003c 91.11, Thunderbird \u003c 102, and Thunderbird \u003c 91.11.",
  "id": "GHSA-8mqx-qm24-g4fh",
  "modified": "2025-04-15T15:30:34Z",
  "published": "2022-12-22T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2200"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1771381"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-24"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-25"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8P36-Q63G-68QH

Vulnerability from github – Published: 2021-05-13 22:31 – Updated: 2022-12-03 03:46
VLAI
Summary
Autobinding vulnerability in MITREid Connect
Details

org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.mitre:openid-connect-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-27582"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-07T18:32:32Z",
    "nvd_published_at": "2021-02-23T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.",
  "id": "GHSA-8p36-q63g-68qh",
  "modified": "2022-12-03T03:46:40Z",
  "published": "2021-05-13T22:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27582"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/commit/7eba3c12fed82388f917e8dd9b73e86e3a311e4c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/research/hidden-oauth-attack-vectors"
    },
    {
      "type": "WEB",
      "url": "http://agrrrdog.blogspot.com/2017/03/autobinding-vulns-and-spring-mvc.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Autobinding vulnerability in MITREid Connect"
}

GHSA-8PPR-WWW8-HFJX

Vulnerability from github – Published: 2024-03-25 15:30 – Updated: 2024-08-02 15:59
VLAI
Summary
@thi.ng/paths Prototype Pollution vulnerability
Details

An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@thi.ng/paths"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.63"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-25T19:34:46Z",
    "nvd_published_at": "2024-03-25T15:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the `mutIn` and `mutInManyUnsafe` components.",
  "id": "GHSA-8ppr-www8-hfjx",
  "modified": "2024-08-02T15:59:13Z",
  "published": "2024-03-25T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29650"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thi-ng/umbrella/issues/445"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thi-ng/umbrella/commit/c78b484882ad5214a46ef83ddb8020571c171353"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/1bc340ca5ea6ae115c9ab9665cfd5921"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thi-ng/umbrella"
    },
    {
      "type": "WEB",
      "url": "https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@thi.ng/paths Prototype Pollution vulnerability"
}

GHSA-8QM3-746X-R74R

Vulnerability from github – Published: 2026-02-19 20:29 – Updated: 2026-02-19 20:29
VLAI
Summary
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed
Details

Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.6.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "devalue"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-19T20:29:17Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Under certain circumstances, `uneval`ing untrusted data can produce output code that will create objects with polluted prototypes when later `eval`ed, meaning the output data can be a different shape from the input data.",
  "id": "GHSA-8qm3-746x-r74r",
  "modified": "2026-02-19T20:29:17Z",
  "published": "2026-02-19T20:29:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-8qm3-746x-r74r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/commit/0f04d4d678eac39ad5d7a07d1956275d7874e81c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/devalue"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/releases/tag/v5.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.