Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-8V3J-JFG3-V3FV

Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-09-06 19:45
VLAI
Summary
Prototype Pollution in Sails.js
Details

Sails.js <= 1.5.2 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). A patch is available in the master branch of Sails.js's GItHub repository.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-44908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T23:04:49Z",
    "nvd_published_at": "2022-03-17T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Sails.js \u003c= 1.5.2 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). A [patch](https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358) is available in the `master` branch of Sails.js\u0027s GItHub repository.",
  "id": "GHSA-8v3j-jfg3-v3fv",
  "modified": "2022-09-06T19:45:27Z",
  "published": "2022-03-18T00:01:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44908"
    },
    {
      "type": "WEB",
      "url": "https://github.com/balderdashy/sails/issues/7209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/balderdashy/sails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in Sails.js"
}

GHSA-8V63-CQQC-6R2C

Vulnerability from github – Published: 2021-09-20 20:46 – Updated: 2022-08-11 21:52
VLAI
Summary
Prototype Pollution in object-path
Details

object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "object-path"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3805"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-20T20:13:12Z",
    "nvd_published_at": "2021-09-17T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects.",
  "id": "GHSA-8v63-cqqc-6r2c",
  "modified": "2022-08-11T21:52:14Z",
  "published": "2021-09-20T20:46:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3805"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mariocasciaro/object-path"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in object-path"
}

GHSA-8V65-5FW5-23WJ

Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-25 17:48
VLAI
Summary
node-cube vulnerable to prototype pollution
Details

The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package's resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-cube"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.0.0-beta.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-25T17:48:20Z",
    "nvd_published_at": "2025-09-24T19:15:40Z",
    "severity": "LOW"
  },
  "details": "The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package\u0027s resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date.",
  "id": "GHSA-8v65-5fw5-23wj",
  "modified": "2025-09-25T17:48:20Z",
  "published": "2025-09-24T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-cube/cube/issues/153"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57348"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/node-cube/cube"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "node-cube vulnerable to prototype pollution"
}

GHSA-8V9X-9XQG-R8MR

Vulnerability from github – Published: 2021-05-10 19:17 – Updated: 2021-04-19 22:31
VLAI
Summary
Prototype pollution in json8-merge-patch
Details

Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "json8-merge-patch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-20",
      "CWE-471"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T22:31:31Z",
    "nvd_published_at": "2020-11-09T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Prototype pollution vulnerability in json8-merge-patch npm package \u003c 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.",
  "id": "GHSA-8v9x-9xqg-r8mr",
  "modified": "2021-04-19T22:31:31Z",
  "published": "2021-05-10T19:17:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sonnyp/JSON8/issues/113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sonnyp/JSON8/commit/2e890261b66cbc54ae01d0c79c71b0fd18379e7e#diff-faa7bef039022bc7ca1c613331b2373950ddd3d65ebf25d1699fbdf89773a387"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/980649"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/json8-merge-patch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in json8-merge-patch"
}

GHSA-8VR4-H4RR-8PH6

Vulnerability from github – Published: 2024-05-20 18:31 – Updated: 2024-08-20 18:03
VLAI
Summary
MiguelCastillo @bit/loader Prototype Pollution issue
Details

A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@bit/loader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "10.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-20T20:56:14Z",
    "nvd_published_at": "2024-05-20T18:15:10Z",
    "severity": "HIGH"
  },
  "details": "A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.",
  "id": "GHSA-8vr4-h4rr-8ph6",
  "modified": "2024-08-20T18:03:43Z",
  "published": "2024-05-20T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24293"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/986fb1c9da6be526fb2656ba8d194b7f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MiguelCastillo/bit-loader"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MiguelCastillo @bit/loader Prototype Pollution issue"
}

GHSA-8VV3-JXM8-F4VF

Vulnerability from github – Published: 2021-05-06 17:29 – Updated: 2021-05-05 21:19
VLAI
Summary
Prototype Pollution in connie-lang
Details

The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "connie-lang"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T21:19:56Z",
    "nvd_published_at": "2020-08-18T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.",
  "id": "GHSA-8vv3-jxm8-f4vf",
  "modified": "2021-05-05T21:19:56Z",
  "published": "2021-05-06T17:29:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7706"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattinsler/connie-lang/commit/ef376d404c712dd28309ba07f28a8f87f24a015a"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-CONNIELANG-598853"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in connie-lang"
}

GHSA-8XXM-H73R-GHFJ

Vulnerability from github – Published: 2022-02-07 22:37 – Updated: 2023-07-13 19:05
VLAI
Summary
Validation bypass in frourio
Details

日本語

影響

v0.26.0以前のfrourioを使用している、かつvalidators/を利用している場合、ネストされたバリデータがリクエストのボディーとクエリに対して正しく働かないケースがあります。また、リクエストに対してバリデーションが効かなくなる入力があります。

パッチ

frourioをv0.26.0かそれ以降のバージョンにアップデートをお願いします。frourio を使用したプロジェクトには class-transformerreflect-metadata の依存への追加も必要となります。

ワークアラウンド

controller側で自分でclass-transformerを使用してチェックする、vaildatorを使わない、など。

さらなる情報

このセキュリティ勧告に関する質問やコメントについては、以下の方法でお問い合わせいただけます。 * frourioにIssueを開く。

English

Impact

Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through validators/ folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)

Patches

Please update your frourio to v0.26.0 or later. You also need to install class-transformer and reflect-metadata to your project.

Workarounds

Validate objects from request with class-transformer in controllers by yourself, or prevent using validators.

For more information

If you have any questions or comments about this advisory: * Open an issue in frourio

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "frourio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-07T22:37:45Z",
    "nvd_published_at": "2022-02-07T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "## \u65e5\u672c\u8a9e\n\n### \u5f71\u97ff\nv0.26.0\u4ee5\u524d\u306efrourio\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3001\u304b\u3064validators/\u3092\u5229\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u30cd\u30b9\u30c8\u3055\u308c\u305f\u30d0\u30ea\u30c7\u30fc\u30bf\u304c\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30dc\u30c7\u30a3\u30fc\u3068\u30af\u30a8\u30ea\u306b\u5bfe\u3057\u3066\u6b63\u3057\u304f\u50cd\u304b\u306a\u3044\u30b1\u30fc\u30b9\u304c\u3042\u308a\u307e\u3059\u3002\u307e\u305f\u3001\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5bfe\u3057\u3066\u30d0\u30ea\u30c7\u30fc\u30b7\u30e7\u30f3\u304c\u52b9\u304b\u306a\u304f\u306a\u308b\u5165\u529b\u304c\u3042\u308a\u307e\u3059\u3002\n\n### \u30d1\u30c3\u30c1\nfrourio\u3092v0.26.0\u304b\u305d\u308c\u4ee5\u964d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3092\u304a\u9858\u3044\u3057\u307e\u3059\u3002frourio \u3092\u4f7f\u7528\u3057\u305f\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u306b\u306f `class-transformer` \u3068 `reflect-metadata` \u306e\u4f9d\u5b58\u3078\u306e\u8ffd\u52a0\u3082\u5fc5\u8981\u3068\u306a\u308a\u307e\u3059\u3002\n\n### \u30ef\u30fc\u30af\u30a2\u30e9\u30a6\u30f3\u30c9\ncontroller\u5074\u3067\u81ea\u5206\u3067class-transformer\u3092\u4f7f\u7528\u3057\u3066\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3001vaildator\u3092\u4f7f\u308f\u306a\u3044\u3001\u306a\u3069\u3002\n\n### \u3055\u3089\u306a\u308b\u60c5\u5831\n\n\u3053\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u52e7\u544a\u306b\u95a2\u3059\u308b\u8cea\u554f\u3084\u30b3\u30e1\u30f3\u30c8\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u4e0b\u306e\u65b9\u6cd5\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u3044\u305f\u3060\u3051\u307e\u3059\u3002\n* [frourio](https://github.com/frouriojs/frourio)\u306bIssue\u3092\u958b\u304f\u3002\n\n## English\n\n### Impact\nFrourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)\n\n### Patches\nPlease update your frourio to v0.26.0 or later. You also need to install `class-transformer` and `reflect-metadata` to your project.\n\n### Workarounds\nValidate objects from request with class-transformer in controllers by yourself, or prevent using validators.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [frourio](https://github.com/frouriojs/frourio)\n",
  "id": "GHSA-8xxm-h73r-ghfj",
  "modified": "2023-07-13T19:05:16Z",
  "published": "2022-02-07T22:37:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frouriojs/frourio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Validation bypass in frourio"
}

GHSA-92V9-XH2Q-FQ9F

Vulnerability from github – Published: 2021-09-20 20:12 – Updated: 2022-12-03 04:00
VLAI
Summary
Prototype Pollution in cookiex/deep
Details

The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the proto object.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cookiex/deep"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-20T19:26:16Z",
    "nvd_published_at": "2021-09-17T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the __proto__ object.",
  "id": "GHSA-92v9-xh2q-fq9f",
  "modified": "2022-12-03T04:00:48Z",
  "published": "2021-09-20T20:12:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23442"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tony-tsx/cookiex-deep/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tony-tsx/cookiex-deep/commit/b5bea2b7f34a5fa9abb4446cbd038ecdbcd09c88"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tony-tsx/cookiex-deep"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-COOKIEXDEEP-1582793"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in cookiex/deep"
}

GHSA-92XJ-MQP7-VMCJ

Vulnerability from github – Published: 2020-09-14 21:42 – Updated: 2022-12-03 04:06
VLAI
Summary
Prototype Pollution in node-forge
Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-forge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-14T21:41:51Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.",
  "id": "GHSA-92xj-mqp7-vmcj",
  "modified": "2022-12-03T04:06:21Z",
  "published": "2020-09-14T21:42:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/digitalbazaar/forge"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md#removed"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in node-forge"
}

GHSA-9354-P3XR-GQW5

Vulnerability from github – Published: 2024-07-24 15:31 – Updated: 2024-07-24 15:31
VLAI
Details

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-24T15:15:11Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.",
  "id": "GHSA-9354-p3xr-gqw5",
  "modified": "2024-07-24T15:31:28Z",
  "published": "2024-07-24T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22443"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04672en_us\u0026docLocale=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.