CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-8V3J-JFG3-V3FV
Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-09-06 19:45Sails.js <= 1.5.2 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). A patch is available in the master branch of Sails.js's GItHub repository.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sails"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-44908"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-18T23:04:49Z",
"nvd_published_at": "2022-03-17T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Sails.js \u003c= 1.5.2 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). A [patch](https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358) is available in the `master` branch of Sails.js\u0027s GItHub repository.",
"id": "GHSA-8v3j-jfg3-v3fv",
"modified": "2022-09-06T19:45:27Z",
"published": "2022-03-18T00:01:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44908"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/issues/7209"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358"
},
{
"type": "WEB",
"url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip"
},
{
"type": "PACKAGE",
"url": "https://github.com/balderdashy/sails"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in Sails.js"
}
GHSA-8V63-CQQC-6R2C
Vulnerability from github – Published: 2021-09-20 20:46 – Updated: 2022-08-11 21:52object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "object-path"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3805"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-20T20:13:12Z",
"nvd_published_at": "2021-09-17T06:15:00Z",
"severity": "HIGH"
},
"details": "object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects.",
"id": "GHSA-8v63-cqqc-6r2c",
"modified": "2022-08-11T21:52:14Z",
"published": "2021-09-20T20:46:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3805"
},
{
"type": "WEB",
"url": "https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884"
},
{
"type": "PACKAGE",
"url": "https://github.com/mariocasciaro/object-path"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in object-path"
}
GHSA-8V65-5FW5-23WJ
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-25 17:48The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package's resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-cube"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.0.0-beta.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57348"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-25T17:48:20Z",
"nvd_published_at": "2025-09-24T19:15:40Z",
"severity": "LOW"
},
"details": "The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package\u0027s resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date.",
"id": "GHSA-8v65-5fw5-23wj",
"modified": "2025-09-25T17:48:20Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57348"
},
{
"type": "WEB",
"url": "https://github.com/node-cube/cube/issues/153"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57348"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-cube/cube"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "node-cube vulnerable to prototype pollution"
}
GHSA-8V9X-9XQG-R8MR
Vulnerability from github – Published: 2021-05-10 19:17 – Updated: 2021-04-19 22:31Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json8-merge-patch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8268"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20",
"CWE-471"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-19T22:31:31Z",
"nvd_published_at": "2020-11-09T15:15:00Z",
"severity": "HIGH"
},
"details": "Prototype pollution vulnerability in json8-merge-patch npm package \u003c 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.",
"id": "GHSA-8v9x-9xqg-r8mr",
"modified": "2021-04-19T22:31:31Z",
"published": "2021-05-10T19:17:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8268"
},
{
"type": "WEB",
"url": "https://github.com/sonnyp/JSON8/issues/113"
},
{
"type": "WEB",
"url": "https://github.com/sonnyp/JSON8/commit/2e890261b66cbc54ae01d0c79c71b0fd18379e7e#diff-faa7bef039022bc7ca1c613331b2373950ddd3d65ebf25d1699fbdf89773a387"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/980649"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/json8-merge-patch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in json8-merge-patch"
}
GHSA-8VR4-H4RR-8PH6
Vulnerability from github – Published: 2024-05-20 18:31 – Updated: 2024-08-20 18:03A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@bit/loader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-24293"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-20T20:56:14Z",
"nvd_published_at": "2024-05-20T18:15:10Z",
"severity": "HIGH"
},
"details": "A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.",
"id": "GHSA-8vr4-h4rr-8ph6",
"modified": "2024-08-20T18:03:43Z",
"published": "2024-05-20T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24293"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/986fb1c9da6be526fb2656ba8d194b7f"
},
{
"type": "PACKAGE",
"url": "https://github.com/MiguelCastillo/bit-loader"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MiguelCastillo @bit/loader Prototype Pollution issue"
}
GHSA-8VV3-JXM8-F4VF
Vulnerability from github – Published: 2021-05-06 17:29 – Updated: 2021-05-05 21:19The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "connie-lang"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7706"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T21:19:56Z",
"nvd_published_at": "2020-08-18T10:15:00Z",
"severity": "CRITICAL"
},
"details": "The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.",
"id": "GHSA-8vv3-jxm8-f4vf",
"modified": "2021-05-05T21:19:56Z",
"published": "2021-05-06T17:29:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7706"
},
{
"type": "WEB",
"url": "https://github.com/mattinsler/connie-lang/commit/ef376d404c712dd28309ba07f28a8f87f24a015a"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-CONNIELANG-598853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in connie-lang"
}
GHSA-8XXM-H73R-GHFJ
Vulnerability from github – Published: 2022-02-07 22:37 – Updated: 2023-07-13 19:05日本語
影響
v0.26.0以前のfrourioを使用している、かつvalidators/を利用している場合、ネストされたバリデータがリクエストのボディーとクエリに対して正しく働かないケースがあります。また、リクエストに対してバリデーションが効かなくなる入力があります。
パッチ
frourioをv0.26.0かそれ以降のバージョンにアップデートをお願いします。frourio を使用したプロジェクトには class-transformer と reflect-metadata の依存への追加も必要となります。
ワークアラウンド
controller側で自分でclass-transformerを使用してチェックする、vaildatorを使わない、など。
さらなる情報
このセキュリティ勧告に関する質問やコメントについては、以下の方法でお問い合わせいただけます。 * frourioにIssueを開く。
English
Impact
Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through validators/ folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)
Patches
Please update your frourio to v0.26.0 or later. You also need to install class-transformer and reflect-metadata to your project.
Workarounds
Validate objects from request with class-transformer in controllers by yourself, or prevent using validators.
For more information
If you have any questions or comments about this advisory: * Open an issue in frourio
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "frourio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23623"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-07T22:37:45Z",
"nvd_published_at": "2022-02-07T23:15:00Z",
"severity": "HIGH"
},
"details": "## \u65e5\u672c\u8a9e\n\n### \u5f71\u97ff\nv0.26.0\u4ee5\u524d\u306efrourio\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3001\u304b\u3064validators/\u3092\u5229\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u30cd\u30b9\u30c8\u3055\u308c\u305f\u30d0\u30ea\u30c7\u30fc\u30bf\u304c\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30dc\u30c7\u30a3\u30fc\u3068\u30af\u30a8\u30ea\u306b\u5bfe\u3057\u3066\u6b63\u3057\u304f\u50cd\u304b\u306a\u3044\u30b1\u30fc\u30b9\u304c\u3042\u308a\u307e\u3059\u3002\u307e\u305f\u3001\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5bfe\u3057\u3066\u30d0\u30ea\u30c7\u30fc\u30b7\u30e7\u30f3\u304c\u52b9\u304b\u306a\u304f\u306a\u308b\u5165\u529b\u304c\u3042\u308a\u307e\u3059\u3002\n\n### \u30d1\u30c3\u30c1\nfrourio\u3092v0.26.0\u304b\u305d\u308c\u4ee5\u964d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3092\u304a\u9858\u3044\u3057\u307e\u3059\u3002frourio \u3092\u4f7f\u7528\u3057\u305f\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u306b\u306f `class-transformer` \u3068 `reflect-metadata` \u306e\u4f9d\u5b58\u3078\u306e\u8ffd\u52a0\u3082\u5fc5\u8981\u3068\u306a\u308a\u307e\u3059\u3002\n\n### \u30ef\u30fc\u30af\u30a2\u30e9\u30a6\u30f3\u30c9\ncontroller\u5074\u3067\u81ea\u5206\u3067class-transformer\u3092\u4f7f\u7528\u3057\u3066\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3001vaildator\u3092\u4f7f\u308f\u306a\u3044\u3001\u306a\u3069\u3002\n\n### \u3055\u3089\u306a\u308b\u60c5\u5831\n\n\u3053\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u52e7\u544a\u306b\u95a2\u3059\u308b\u8cea\u554f\u3084\u30b3\u30e1\u30f3\u30c8\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u4e0b\u306e\u65b9\u6cd5\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u3044\u305f\u3060\u3051\u307e\u3059\u3002\n* [frourio](https://github.com/frouriojs/frourio)\u306bIssue\u3092\u958b\u304f\u3002\n\n## English\n\n### Impact\nFrourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)\n\n### Patches\nPlease update your frourio to v0.26.0 or later. You also need to install `class-transformer` and `reflect-metadata` to your project.\n\n### Workarounds\nValidate objects from request with class-transformer in controllers by yourself, or prevent using validators.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [frourio](https://github.com/frouriojs/frourio)\n",
"id": "GHSA-8xxm-h73r-ghfj",
"modified": "2023-07-13T19:05:16Z",
"published": "2022-02-07T22:37:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23623"
},
{
"type": "WEB",
"url": "https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af"
},
{
"type": "PACKAGE",
"url": "https://github.com/frouriojs/frourio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Validation bypass in frourio"
}
GHSA-92V9-XH2Q-FQ9F
Vulnerability from github – Published: 2021-09-20 20:12 – Updated: 2022-12-03 04:00The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the proto object.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@cookiex/deep"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23442"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-20T19:26:16Z",
"nvd_published_at": "2021-09-17T10:15:00Z",
"severity": "HIGH"
},
"details": "The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the __proto__ object.",
"id": "GHSA-92v9-xh2q-fq9f",
"modified": "2022-12-03T04:00:48Z",
"published": "2021-09-20T20:12:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23442"
},
{
"type": "WEB",
"url": "https://github.com/tony-tsx/cookiex-deep/issues/1"
},
{
"type": "WEB",
"url": "https://github.com/tony-tsx/cookiex-deep/commit/b5bea2b7f34a5fa9abb4446cbd038ecdbcd09c88"
},
{
"type": "PACKAGE",
"url": "https://github.com/tony-tsx/cookiex-deep"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-COOKIEXDEEP-1582793"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in cookiex/deep"
}
GHSA-92XJ-MQP7-VMCJ
Vulnerability from github – Published: 2020-09-14 21:42 – Updated: 2022-12-03 04:06The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7720"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-14T21:41:51Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "HIGH"
},
"details": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.",
"id": "GHSA-92xj-mqp7-vmcj",
"modified": "2022-12-03T04:06:21Z",
"published": "2020-09-14T21:42:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md#removed"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in node-forge"
}
GHSA-9354-P3XR-GQW5
Vulnerability from github – Published: 2024-07-24 15:31 – Updated: 2024-07-24 15:31A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.
{
"affected": [],
"aliases": [
"CVE-2024-22443"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-24T15:15:11Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.",
"id": "GHSA-9354-p3xr-gqw5",
"modified": "2024-07-24T15:31:28Z",
"published": "2024-07-24T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22443"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04672en_us\u0026docLocale=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.