CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
781 vulnerabilities reference this CWE, most recent first.
GHSA-F825-F98C-GJ3G
Vulnerability from github – Published: 2022-07-29 00:00 – Updated: 2023-09-11 16:22Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mongoose"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "mongoose"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.13.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2564"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-04T14:22:23Z",
"nvd_published_at": "2022-07-28T20:15:00Z",
"severity": "HIGH"
},
"details": "Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.",
"id": "GHSA-f825-f98c-gj3g",
"modified": "2023-09-11T16:22:58Z",
"published": "2022-07-29T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2564"
},
{
"type": "WEB",
"url": "https://github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680a"
},
{
"type": "WEB",
"url": "https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8"
},
{
"type": "WEB",
"url": "https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141"
},
{
"type": "WEB",
"url": "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6"
},
{
"type": "WEB",
"url": "https://github.com/automattic/mongoose"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "automattic/mongoose vulnerable to Prototype pollution via Schema.path"
}
GHSA-F8H3-RQRM-47V9
Vulnerability from github – Published: 2020-09-02 16:02 – Updated: 2020-08-31 18:36All versions of smart-extend are vulnerable to Prototype Pollution. The deep() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "smart-extend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:36:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "All versions of `smart-extend` are vulnerable to Prototype Pollution. The `deep()` function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative module until a fix is made available.",
"id": "GHSA-f8h3-rqrm-47v9",
"modified": "2020-08-31T18:36:15Z",
"published": "2020-09-02T16:02:40Z",
"references": [
{
"type": "WEB",
"url": "https://hackerone.com/reports/438274"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/801"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Prototype Pollution in smart-extend"
}
GHSA-F98M-Q3HR-P5WQ
Vulnerability from github – Published: 2021-05-06 18:12 – Updated: 2021-12-14 15:33All versions of package locutus prior to version 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parse_str function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "locutus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7719"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T18:44:01Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package locutus prior to version 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parse_str function.",
"id": "GHSA-f98m-q3hr-p5wq",
"modified": "2021-12-14T15:33:28Z",
"published": "2021-05-06T18:12:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7719"
},
{
"type": "WEB",
"url": "https://github.com/kvz/locutus/pull/418"
},
{
"type": "WEB",
"url": "https://github.com/locutusjs/locutus/commit/0eb16d8541838e80f3c2340a9ef93ded7c97290f"
},
{
"type": "PACKAGE",
"url": "https://github.com/kvz/locutus"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-LOCUTUS-598675"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in locutus"
}
GHSA-F9CM-QMX5-M98H
Vulnerability from github – Published: 2018-11-01 14:45 – Updated: 2023-09-07 20:34Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.
Recommendation
Update to version 1.2.1 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "merge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-16469"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:34:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `merge` before 1.2.1 are vulnerable to prototype pollution. The `merge.recursive` function can be tricked into adding or modifying properties of the Object prototype.\n\n\n## Recommendation\n\nUpdate to version 1.2.1 or later.",
"id": "GHSA-f9cm-qmx5-m98h",
"modified": "2023-09-07T20:34:10Z",
"published": "2018-11-01T14:45:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16469"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/381194"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-f9cm-qmx5-m98h"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/722"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in merge"
}
GHSA-FF7X-QRG7-QGGM
Vulnerability from github – Published: 2020-07-29 20:56 – Updated: 2022-08-11 14:58Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dot-prop"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "dot-prop"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8116"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-425",
"CWE-471"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-29T20:51:37Z",
"nvd_published_at": "2020-02-04T20:15:00Z",
"severity": "HIGH"
},
"details": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.",
"id": "GHSA-ff7x-qrg7-qggm",
"modified": "2022-08-11T14:58:19Z",
"published": "2020-07-29T20:56:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/dot-prop/issues/63"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/719856"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm"
},
{
"type": "PACKAGE",
"url": "https://github.com/sindresorhus/dot-prop"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/dot-prop/tree/v4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "dot-prop Prototype Pollution vulnerability"
}
GHSA-FF9J-PWXG-Q5P2
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-08 14:49deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the __proto__ property to be edited.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "deep-parse-json"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-42743"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-08T14:49:05Z",
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.",
"id": "GHSA-ff9j-pwxg-q5p2",
"modified": "2022-11-08T14:49:05Z",
"published": "2022-11-04T12:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42743"
},
{
"type": "WEB",
"url": "https://github.com/sibu-github/deep-parse-json/issues/6"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/buuren"
},
{
"type": "PACKAGE",
"url": "https://github.com/sibu-github/deep-parse-json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "deep-parse-json vulnerable to Prototype Pollution"
}
GHSA-FFRW-9MX8-89P8
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-11-20 17:27Withdrawn Advisory
This advisory has been withdrawn because the issue uses an internal undocumented utility function. This link is maintained to preserve external references.
Original Description
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-redact"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57319"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-29T13:10:15Z",
"nvd_published_at": "2025-09-24T21:15:32Z",
"severity": "LOW"
},
"details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the issue uses an internal undocumented utility function. This link is maintained to preserve external references.\n\n## Original Description\n\nfast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
"id": "GHSA-ffrw-9mx8-89p8",
"modified": "2025-11-20T17:27:56Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57319"
},
{
"type": "WEB",
"url": "https://github.com/davidmarkclements/fast-redact/issues/75"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/fast-redact%403.5.0/index.js"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57319"
},
{
"type": "PACKAGE",
"url": "https://github.com/davidmarkclements/fast-redact"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Withdrawn Advisory: fast-redact vulnerable to prototype pollution",
"withdrawn": "2025-11-20T17:27:56Z"
}
GHSA-FG4M-W35Q-VFG2
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-03-19 15:40A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@zag-js/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.82.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57079"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-06T23:32:24Z",
"nvd_published_at": "2025-02-05T22:15:32Z",
"severity": "HIGH"
},
"details": "A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
"id": "GHSA-fg4m-w35q-vfg2",
"modified": "2025-03-19T15:40:29Z",
"published": "2025-02-06T06:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57079"
},
{
"type": "WEB",
"url": "https://github.com/chakra-ui/zag/pull/2255"
},
{
"type": "WEB",
"url": "https://github.com/chakra-ui/zag/commit/f53edc548f737aadfdd486a0043bdd5f5c068bbf"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/4778fc57084766b7b7fb6d25d20b7b9b"
},
{
"type": "PACKAGE",
"url": "https://github.com/chakra-ui/zag"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@zag-js/core prototype pollution"
}
GHSA-FG52-5JJJ-28H7
Vulnerability from github – Published: 2024-06-17 15:30 – Updated: 2024-06-17 21:29A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@cdr0/sg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36580"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-17T21:29:55Z",
"nvd_published_at": "2024-06-17T14:15:10Z",
"severity": "MODERATE"
},
"details": "A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.",
"id": "GHSA-fg52-5jjj-28h7",
"modified": "2024-06-17T21:29:55Z",
"published": "2024-06-17T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36580"
},
{
"type": "WEB",
"url": "https://github.com/briancsparks/cdr0-sg/issues/11"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/a75d75eca4622ad08f7cfa903a6cc9c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/briancsparks/cdr0-sg"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "@cdr0/sg Prototype Pollution"
}
GHSA-FGQ5-VX4R-RG7C
Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-01 15:32Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91)
{
"affected": [],
"aliases": [
"CVE-2024-38983"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T21:15:09Z",
"severity": "CRITICAL"
},
"details": "Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91)",
"id": "GHSA-fgq5-vx4r-rg7c",
"modified": "2024-08-01T15:32:15Z",
"published": "2024-07-30T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38983"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/f82d0c3a8fe3a125f06425caef5d22ed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.