Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

781 vulnerabilities reference this CWE, most recent first.

GHSA-9X7M-9HPG-XXMW

Vulnerability from github – Published: 2021-12-10 17:24 – Updated: 2021-07-19 15:44
VLAI
Summary
Prototype Pollution in putil-merge
Details

Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "putil-merge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "3.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-15T20:19:36Z",
    "nvd_published_at": "2021-07-14T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027putil-merge\u0027 versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-9x7m-9hpg-xxmw",
  "modified": "2021-07-19T15:44:57Z",
  "published": "2021-12-10T17:24:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25953"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25953"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in putil-merge"
}

GHSA-9XQH-F8H9-23PV

Vulnerability from github – Published: 2026-02-14 00:32 – Updated: 2026-02-17 18:32
VLAI
Details

A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract's context.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-70956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-13T22:16:10Z",
    "severity": "HIGH"
  },
  "details": "A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract\u0027s context.",
  "id": "GHSA-9xqh-f8h9-23pv",
  "modified": "2026-02-17T18:32:55Z",
  "published": "2026-02-14T00:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70956"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ton-blockchain/ton/commit/1835d84602bbaaa1593270d7ab3bb0b499920416"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Lucian-code233/beab9d14683ed2bdf5543be430b91c70"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ton-blockchain/ton/releases/tag/v2025.04#:~:text=Arayz%2C%20Robinlzw%2C%20%40wy666444%20%40Lucian-code233"
    },
    {
      "type": "WEB",
      "url": "https://mp.weixin.qq.com/s/ZD35baKUikefFdtNHZIC9g"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C36V-FMGQ-M8HX

Vulnerability from github – Published: 2021-09-07 22:57 – Updated: 2024-04-25 22:09
VLAI
Summary
Prototype Pollution in immer
Details

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "immer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "9.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-03T20:17:21Z",
    "nvd_published_at": "2021-09-02T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027).",
  "id": "GHSA-c36v-fmgq-m8hx",
  "modified": "2024-04-25T22:09:12Z",
  "published": "2021-09-07T22:57:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/immerjs/immer/commit/fa671e55ee9bd42ae08cc239102b665a23958237"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/immerjs/immer"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in immer"
}

GHSA-C3PX-V9C7-M734

Vulnerability from github – Published: 2020-09-03 19:04 – Updated: 2020-08-31 18:47
VLAI
Summary
Prototype Pollution in mithril
Details

Affected versions of mithrilare vulnerable to prototype pollution. The function parseQueryString may allow a malicious user to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. A payload such as __proto__%5BtoString%5D=123 in the query string would change the toString() function to 123.

Recommendation

If you are using mithril 2.x, upgrade to version 2.0.2 or later. If you are using mithril 1.x, upgrade to version 1.1.7 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mithril"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "mithril"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:47:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of `mithril`are vulnerable to prototype pollution. The function `parseQueryString` may allow a malicious user to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. A payload such as `__proto__%5BtoString%5D=123` in the query string would change the `toString()` function to `123`.\n\n\n\n## Recommendation\n\nIf you are using mithril 2.x, upgrade to version 2.0.2 or later.\nIf you are using mithril 1.x, upgrade to version 1.1.7 or later.",
  "id": "GHSA-c3px-v9c7-m734",
  "modified": "2020-08-31T18:47:02Z",
  "published": "2020-09-03T19:04:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1094"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in mithril"
}

GHSA-C429-5P7V-VGJP

Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2025-05-28 19:35
VLAI
Summary
hoek subject to prototype pollution via the clone function.
Details

hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@hapi/hoek"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@hapi/hoek"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "hoek"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "6.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-29T14:13:31Z",
    "nvd_published_at": "2022-09-23T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.",
  "id": "GHSA-c429-5p7v-vgjp",
  "modified": "2025-05-28T19:35:05Z",
  "published": "2022-09-25T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hapijs/hoek/issues/352"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "hoek subject to prototype pollution via the clone function."
}

GHSA-C4W7-XM78-47VH

Vulnerability from github – Published: 2021-03-29 16:05 – Updated: 2023-09-07 20:22
VLAI
Summary
Prototype Pollution in y18n
Details

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC

const y18n = require('y18n')();

y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});

console.log(polluted); // true

Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "y18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "y18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "y18n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-20",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T21:23:11Z",
    "nvd_published_at": "2020-11-17T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Overview\n\nThe npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution. \n\n### POC\n\n```js\nconst y18n = require(\u0027y18n\u0027)();\n\ny18n.setLocale(\u0027__proto__\u0027);\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); // true\n```\n\n### Recommendation\n\nUpgrade to version 3.2.2, 4.0.1, 5.0.5 or later.",
  "id": "GHSA-c4w7-xm78-47vh",
  "modified": "2023-09-07T20:22:08Z",
  "published": "2021-03-29T16:05:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yargs/y18n/issues/96"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yargs/y18n/pull/108"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yargs/y18n"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in y18n"
}

GHSA-C567-44RC-M5HQ

Vulnerability from github – Published: 2026-05-11 16:09 – Updated: 2026-06-08 23:49
VLAI
Summary
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)
Details

Summary

setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process.

This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected.

Affected versions

  • @rvf/set-get < 7.0.2 (7.x line)
  • @rvf/set-get < 6.0.4 (6.x line)

Reached through @rvf/core versions that depend on a vulnerable @rvf/set-get (current 8.1.0 resolves to 7.0.1 without the override).

Patched

  • @rvf/set-get 7.0.2
  • @rvf/set-get 6.0.4

The fix adds a REJECT_KEYS blocklist (__proto__, constructor, prototype) and throws when one is encountered while walking a path inside setPath.

Proof of concept

Install a vulnerable resolution and run on Node 18+:

{
  "dependencies": { "@rvf/core": "8.1.0" },
  "overrides": { "@rvf/set-get": "7.0.1" }
}
const { preprocessFormData } = require('@rvf/core');

const form = new FormData();
form.append("username", "alice");
form.append("__proto__[polluted]", "yes");

preprocessFormData(form);
console.log(({}).polluted); // -> 'yes'

The field name __proto__[polluted] is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits polluted = 'yes'.

A second working payload is constructor.prototype.<key>=<value>, which goes through setPath walking constructor then prototype.

Impact

  • Any property assignable on Object.prototype of the server process, set by a single unauthenticated HTTP request.
  • Persists for the life of the worker process and affects every subsequent request handled by the same process.
  • Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing if (obj.isAdmin) style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).
  • Worth noting: the visible output of preprocessFormData does not contain the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L (8.2, High)

Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.

Remediation for users

Upgrade to @rvf/set-get 7.0.2 or 6.0.4. If you cannot upgrade @rvf/core directly, an npm / pnpm override on @rvf/set-get works.

Credit

Reported by Mohamed Bassia (@0xBassia).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@rvf/set-get"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@rvf/set-get"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:09:40Z",
    "nvd_published_at": "2026-05-27T17:16:39Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`setPath` in `@rvf/set-get` (used by `@rvf/core` to flatten incoming form data into a nested object) does not block the keys `__proto__`, `constructor`, or `prototype` when walking a path. Because field names in submitted form data are passed directly to `setPath` via `preprocessFormData` (and through `parseFormData` / `validate`), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on `Object.prototype` of the running server process.\n\nThis is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via `parseFormData` or runs a validator created with `createValidator` is affected.\n\n## Affected versions\n\n- `@rvf/set-get` `\u003c 7.0.2` (7.x line)\n- `@rvf/set-get` `\u003c 6.0.4` (6.x line)\n\nReached through `@rvf/core` versions that depend on a vulnerable `@rvf/set-get` (current `8.1.0` resolves to `7.0.1` without the override).\n\n## Patched\n\n- `@rvf/set-get` `7.0.2`\n- `@rvf/set-get` `6.0.4`\n\nThe fix adds a `REJECT_KEYS` blocklist (`__proto__`, `constructor`, `prototype`) and throws when one is encountered while walking a path inside `setPath`.\n\n## Proof of concept\n\nInstall a vulnerable resolution and run on Node 18+:\n\n```json\n{\n  \"dependencies\": { \"@rvf/core\": \"8.1.0\" },\n  \"overrides\": { \"@rvf/set-get\": \"7.0.1\" }\n}\n```\n\n```js\nconst { preprocessFormData } = require(\u0027@rvf/core\u0027);\n\nconst form = new FormData();\nform.append(\"username\", \"alice\");\nform.append(\"__proto__[polluted]\", \"yes\");\n\npreprocessFormData(form);\nconsole.log(({}).polluted); // -\u003e \u0027yes\u0027\n```\n\nThe field name `__proto__[polluted]` is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits `polluted = \u0027yes\u0027`.\n\nA second working payload is `constructor.prototype.\u003ckey\u003e=\u003cvalue\u003e`, which goes through `setPath` walking `constructor` then `prototype`.\n\n## Impact\n\n- Any property assignable on `Object.prototype` of the server process, set by a single unauthenticated HTTP request.\n- Persists for the life of the worker process and affects every subsequent request handled by the same process.\n- Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing `if (obj.isAdmin)` style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).\n- Worth noting: the visible output of `preprocessFormData` does not contain the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.\n\n## CVSS\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L` (8.2, High)\n\nIntegrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.\n\n## Remediation for users\n\nUpgrade to `@rvf/set-get` `7.0.2` or `6.0.4`. If you cannot upgrade `@rvf/core` directly, an `npm` / `pnpm` override on `@rvf/set-get` works.\n\n## Credit\n\nReported by Mohamed Bassia (@0xBassia).",
  "id": "GHSA-c567-44rc-m5hq",
  "modified": "2026-06-08T23:49:03Z",
  "published": "2026-05-11T16:09:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/airjp73/rvf/security/advisories/GHSA-c567-44rc-m5hq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44483"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/airjp73/rvf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@rvf/set-get has a prototype pollution issue that\u0027s reachable via @rvf/core preprocessFormData (HTTP form data)"
}

GHSA-C5CP-PF7W-RG5W

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 18:31
VLAI
Details

A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T22:15:31Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-c5cp-pf7w-rg5w",
  "modified": "2025-02-06T18:31:05Z",
  "published": "2025-02-06T06:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57071"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/b56500d3a8866467ee769df7453eedaa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C6H4-GC3F-HGJQ

Vulnerability from github – Published: 2022-01-06 21:58 – Updated: 2022-01-13 18:28
VLAI
Summary
Prototype Pollution in js-data
Details

All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of CVE-2020-28442.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-data"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-05T20:22:05Z",
    "nvd_published_at": "2021-12-24T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655).",
  "id": "GHSA-c6h4-gc3f-hgjq",
  "modified": "2022-01-13T18:28:50Z",
  "published": "2022-01-06T21:58:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/js-data/js-data/issues/576"
    },
    {
      "type": "WEB",
      "url": "https://github.com/js-data/js-data/issues/577"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/js-data/js-data"
    },
    {
      "type": "WEB",
      "url": "https://github.com/js-data/js-data/blob/master/dist/js-data.js%23L472"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2320790"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2320791"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSDATA-1584361"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in js-data"
}

GHSA-C6RP-WRP9-QR4Q

Vulnerability from github – Published: 2022-12-21 21:30 – Updated: 2022-12-29 01:06
VLAI
Summary
dustjs-linkedin vulnerable to Prototype Pollution
Details

A vulnerability was found in LinkedIn dustjs prior to version 3.0.0 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0 can address this issue. The name of the patch is ddb6523832465d38c9d80189e9de60519ac307c3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216464.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dustjs-linkedin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-74",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-22T03:35:37Z",
    "nvd_published_at": "2022-12-21T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in LinkedIn dustjs prior to version 3.0.0 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0 can address this issue. The name of the patch is ddb6523832465d38c9d80189e9de60519ac307c3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216464.",
  "id": "GHSA-c6rp-wrp9-qr4q",
  "modified": "2022-12-29T01:06:38Z",
  "published": "2022-12-21T21:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linkedin/dustjs/issues/804"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linkedin/dustjs/pull/805"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linkedin/dustjs/commit/ddb6523832465d38c9d80189e9de60519ac307c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/linkedin/dustjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linkedin/dustjs/releases/tag/v3.0.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.216464"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.216464"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "dustjs-linkedin vulnerable to Prototype Pollution"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.