Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

781 vulnerabilities reference this CWE, most recent first.

GHSA-C7M7-4257-H698

Vulnerability from github – Published: 2021-05-06 17:29 – Updated: 2021-05-05 21:29
VLAI
Summary
Prototype Pollution in templ8
Details

All versions of package templ8 up to and including 0.0.44 are vulnerable to Prototype Pollution via the parse function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "templ8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.44"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T21:29:36Z",
    "nvd_published_at": "2020-08-17T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package templ8 up to and including 0.0.44 are vulnerable to Prototype Pollution via the parse function.",
  "id": "GHSA-c7m7-4257-h698",
  "modified": "2021-05-05T21:29:36Z",
  "published": "2021-05-06T17:29:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7702"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-TEMPL8-598770"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in templ8"
}

GHSA-C8XV-5998-G76H

Vulnerability from github – Published: 2026-05-14 16:17 – Updated: 2026-05-14 16:17
VLAI
Summary
n8n: HTTP Request Node Pagination Prototype Pollution to RCE
Details

Impact

An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance.

Patches

The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the HTTP Request node by adding n8n-nodes-base.httpRequest to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.


n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.123.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.21.0"
            },
            {
              "fixed": "2.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-rc.0"
            },
            {
              "fixed": "2.20.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T16:17:23Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Impact\nAn authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the HTTP Request node by adding `n8n-nodes-base.httpRequest` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n---\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
  "id": "GHSA-c8xv-5998-g76h",
  "modified": "2026-05-14T16:17:23Z",
  "published": "2026-05-14T16:17:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/n8n-io/n8n"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "n8n: HTTP Request Node Pagination Prototype Pollution to RCE"
}

GHSA-CC8P-78QF-8P7Q

Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-26 18:31
VLAI
Details

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "proto"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57347"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-24T19:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability exists in the \u0027dagre-d3-es\u0027 Node.js package version 7.0.9, specifically within the \u0027bk\u0027 module\u0027s addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., \"__proto__\"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.",
  "id": "GHSA-cc8p-78qf-8p7q",
  "modified": "2025-09-26T18:31:19Z",
  "published": "2025-09-24T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57347"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tbo47/dagre-es/issues/52"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57347"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CFGR-75JX-H88G

Vulnerability from github – Published: 2022-10-31 19:00 – Updated: 2024-04-22 23:20
VLAI
Summary
thlorenz browserify-shim vulnerable to prototype pollution
Details

Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.8.15"
      },
      "package": {
        "ecosystem": "npm",
        "name": "browserify-shim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T23:20:54Z",
    "nvd_published_at": "2022-10-31T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.",
  "id": "GHSA-cfgr-75jx-h88g",
  "modified": "2024-04-22T23:20:54Z",
  "published": "2022-10-31T19:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thlorenz/browserify-shim/issues/248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thlorenz/browserify-shim/pull/246"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thlorenz/browserify-shim/commit/97855e622b6dcd117c77e6583701962ff45e7338"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thlorenz/browserify-shim"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L94"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "thlorenz browserify-shim vulnerable to prototype pollution"
}

GHSA-CFW5-2VXH-HR84

Vulnerability from github – Published: 2026-03-12 14:13 – Updated: 2026-03-12 14:13
VLAI
Summary
devalue has prototype pollution in devalue.parse and devalue.unflatten
Details

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "devalue"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:13:03Z",
    "nvd_published_at": "2026-03-11T18:16:22Z",
    "severity": "MODERATE"
  },
  "details": "In devalue v5.6.3, `devalue.parse` and `devalue.unflatten` were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.",
  "id": "GHSA-cfw5-2vxh-hr84",
  "modified": "2026-03-12T14:13:03Z",
  "published": "2026-03-12T14:13:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-cfw5-2vxh-hr84"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30226"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/devalue"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "devalue has prototype pollution in devalue.parse and devalue.unflatten"
}

GHSA-CH82-GQH6-9XJ9

Vulnerability from github – Published: 2020-09-04 15:13 – Updated: 2020-08-31 18:55
VLAI
Summary
Prototype Pollution in get-setter
Details

All versions of get-setter are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "get-setter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:55:25Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "All versions of `get-setter` are vulnerable to prototype pollution. The function `set` does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.",
  "id": "GHSA-ch82-gqh6-9xj9",
  "modified": "2020-08-31T18:55:25Z",
  "published": "2020-09-04T15:13:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1332"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in get-setter"
}

GHSA-CJ63-JHHR-WCXV

Vulnerability from github – Published: 2026-04-03 03:45 – Updated: 2026-05-29 21:46
VLAI
Summary
DOMPurify USE_PROFILES prototype pollution allows event handlers
Details

Summary

When USE_PROFILES is enabled, DOMPurify rebuilds ALLOWED_ATTR as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via ALLOWED_ATTR[lcName], any Array.prototype property that is polluted also counts as an allowlisted attribute. An attacker who can set Array.prototype.onclick = true (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as onclick even when they are normally forbidden. The provided PoC sanitizes <img onclick=...> with USE_PROFILES and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.

Impact

Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.

Credits

Identified by Cantina’s Apex (https://www.cantina.security).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.3.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "dompurify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T03:45:08Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nWhen `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via `ALLOWED_ATTR[lcName]`, any `Array.prototype` property that is polluted also counts as an allowlisted attribute. An attacker who can set `Array.prototype.onclick = true` (or a runtime already subject to prototype pollution) can thus force DOMPurify to keep event handlers such as `onclick` even when they are normally forbidden. The provided PoC sanitizes `\u003cimg onclick=...\u003e` with `USE_PROFILES` and adds the sanitized output to the DOM; the polluted prototype allows the event handler to survive and execute, turning what should be a blocklist into a silent XSS vector.\n\n## Impact\nPrototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.\n\n## Credits\nIdentified by Cantina\u2019s Apex (https://www.cantina.security).",
  "id": "GHSA-cj63-jhhr-wcxv",
  "modified": "2026-05-29T21:46:57Z",
  "published": "2026-04-03T03:45:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-cj63-jhhr-wcxv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cure53/DOMPurify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/releases/tag/3.3.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DOMPurify USE_PROFILES prototype pollution allows event handlers"
}

GHSA-CMXG-94MG-JQ94

Vulnerability from github – Published: 2026-05-18 17:07 – Updated: 2026-05-18 17:07
VLAI
Summary
@tmlmobilidade/utils has prototype pollution in its setValueAtPath
Details

Impact

Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath().

Patches

A fix is available in versions 20260509.0340.15 and up.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@tmlmobilidade/utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20260509.0340.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:07:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nPrototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath().\n\n### Patches\nA fix is available in versions 20260509.0340.15 and up.",
  "id": "GHSA-cmxg-94mg-jq94",
  "modified": "2026-05-18T17:07:04Z",
  "published": "2026-05-18T17:07:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tmlmobilidade/go/security/advisories/GHSA-cmxg-94mg-jq94"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tmlmobilidade/go/commit/b10505baa7ba0701f830a05f3007c0a6bdd00eb7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tmlmobilidade/go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tmlmobilidade/go/blob/prd/packages/utils/src/generic/value-at-path.ts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@tmlmobilidade/utils has prototype pollution in its setValueAtPath"
}

GHSA-CQQH-49MX-FQ63

Vulnerability from github – Published: 2021-09-13 20:16 – Updated: 2022-08-10 23:45
VLAI
Summary
merge vulnerable to Prototype Pollution
Details

merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@viking04/merge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-13T19:14:06Z",
    "nvd_published_at": "2021-09-10T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
  "id": "GHSA-cqqh-49mx-fq63",
  "modified": "2022-08-10T23:45:09Z",
  "published": "2021-09-13T20:16:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/viking04/merge/commit/baba40332080b38b33840d2614df6d4142dedaf6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/viking04/merge"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/ef387a9e-ca3c-4c21-80e3-d34a6a896262"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "merge vulnerable to Prototype Pollution"
}

GHSA-CR7H-93FH-WHWM

Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-25 17:52
VLAI
Summary
magix-combine-ex vulnerable to prototype pollution
Details

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "magix-combine-ex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-25T17:52:23Z",
    "nvd_published_at": "2025-09-24T20:15:31Z",
    "severity": "LOW"
  },
  "details": "A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
  "id": "GHSA-cr7h-93fh-whwm",
  "modified": "2025-09-25T17:52:42Z",
  "published": "2025-09-24T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/magix-combine-ex%401.2.10/index.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57321"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thx/magix-combine"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "magix-combine-ex vulnerable to prototype pollution"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.