Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

781 vulnerabilities reference this CWE, most recent first.

GHSA-F825-F98C-GJ3G

Vulnerability from github – Published: 2022-07-29 00:00 – Updated: 2023-09-11 16:22
VLAI
Summary
automattic/mongoose vulnerable to Prototype pollution via Schema.path
Details

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mongoose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "mongoose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.13.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-04T14:22:23Z",
    "nvd_published_at": "2022-07-28T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.",
  "id": "GHSA-f825-f98c-gj3g",
  "modified": "2023-09-11T16:22:58Z",
  "published": "2022-07-29T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/automattic/mongoose"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "automattic/mongoose vulnerable to Prototype pollution via Schema.path"
}

GHSA-F8H3-RQRM-47V9

Vulnerability from github – Published: 2020-09-02 16:02 – Updated: 2020-08-31 18:36
VLAI
Summary
Prototype Pollution in smart-extend
Details

All versions of smart-extend are vulnerable to Prototype Pollution. The deep() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "smart-extend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:36:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "All versions of `smart-extend` are vulnerable to Prototype Pollution. The `deep()` function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative module until a fix is made available.",
  "id": "GHSA-f8h3-rqrm-47v9",
  "modified": "2020-08-31T18:36:15Z",
  "published": "2020-09-02T16:02:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/438274"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/801"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Prototype Pollution in smart-extend"
}

GHSA-F98M-Q3HR-P5WQ

Vulnerability from github – Published: 2021-05-06 18:12 – Updated: 2021-12-14 15:33
VLAI
Summary
Prototype Pollution in locutus
Details

All versions of package locutus prior to version 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parse_str function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "locutus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-20",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T18:44:01Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package locutus prior to version 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parse_str function.",
  "id": "GHSA-f98m-q3hr-p5wq",
  "modified": "2021-12-14T15:33:28Z",
  "published": "2021-05-06T18:12:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7719"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kvz/locutus/pull/418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/locutusjs/locutus/commit/0eb16d8541838e80f3c2340a9ef93ded7c97290f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kvz/locutus"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-LOCUTUS-598675"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in locutus"
}

GHSA-F9CM-QMX5-M98H

Vulnerability from github – Published: 2018-11-01 14:45 – Updated: 2023-09-07 20:34
VLAI
Summary
Prototype Pollution in merge
Details

Versions of merge before 1.2.1 are vulnerable to prototype pollution. The merge.recursive function can be tricked into adding or modifying properties of the Object prototype.

Recommendation

Update to version 1.2.1 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "merge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-16469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:34:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `merge` before 1.2.1 are vulnerable to prototype pollution. The `merge.recursive` function can be tricked into adding or modifying properties of the Object prototype.\n\n\n## Recommendation\n\nUpdate to version 1.2.1 or later.",
  "id": "GHSA-f9cm-qmx5-m98h",
  "modified": "2023-09-07T20:34:10Z",
  "published": "2018-11-01T14:45:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16469"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/381194"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-f9cm-qmx5-m98h"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/722"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in merge"
}

GHSA-FF7X-QRG7-QGGM

Vulnerability from github – Published: 2020-07-29 20:56 – Updated: 2022-08-11 14:58
VLAI
Summary
dot-prop Prototype Pollution vulnerability
Details

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dot-prop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "dot-prop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-425",
      "CWE-471"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-29T20:51:37Z",
    "nvd_published_at": "2020-02-04T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.",
  "id": "GHSA-ff7x-qrg7-qggm",
  "modified": "2022-08-11T14:58:19Z",
  "published": "2020-07-29T20:56:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sindresorhus/dot-prop/issues/63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/719856"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sindresorhus/dot-prop"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sindresorhus/dot-prop/tree/v4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "dot-prop Prototype Pollution vulnerability"
}

GHSA-FF9J-PWXG-Q5P2

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-08 14:49
VLAI
Summary
deep-parse-json vulnerable to Prototype Pollution
Details

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the __proto__ property to be edited.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deep-parse-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-42743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T14:49:05Z",
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.",
  "id": "GHSA-ff9j-pwxg-q5p2",
  "modified": "2022-11-08T14:49:05Z",
  "published": "2022-11-04T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42743"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sibu-github/deep-parse-json/issues/6"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/buuren"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sibu-github/deep-parse-json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "deep-parse-json vulnerable to Prototype Pollution"
}

GHSA-FFRW-9MX8-89P8

Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-11-20 17:27
VLAI
Summary
Withdrawn Advisory: fast-redact vulnerable to prototype pollution
Details

Withdrawn Advisory

This advisory has been withdrawn because the issue uses an internal undocumented utility function. This link is maintained to preserve external references.

Original Description

fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-redact"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-29T13:10:15Z",
    "nvd_published_at": "2025-09-24T21:15:32Z",
    "severity": "LOW"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the issue uses an internal undocumented utility function. This link is maintained to preserve external references.\n\n## Original Description\n\nfast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
  "id": "GHSA-ffrw-9mx8-89p8",
  "modified": "2025-11-20T17:27:56Z",
  "published": "2025-09-24T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57319"
    },
    {
      "type": "WEB",
      "url": "https://github.com/davidmarkclements/fast-redact/issues/75"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/fast-redact%403.5.0/index.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57319"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/davidmarkclements/fast-redact"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn Advisory: fast-redact vulnerable to prototype pollution",
  "withdrawn": "2025-11-20T17:27:56Z"
}

GHSA-FG4M-W35Q-VFG2

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-03-19 15:40
VLAI
Summary
@zag-js/core prototype pollution
Details

A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@zag-js/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.82.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-06T23:32:24Z",
    "nvd_published_at": "2025-02-05T22:15:32Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-fg4m-w35q-vfg2",
  "modified": "2025-03-19T15:40:29Z",
  "published": "2025-02-06T06:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57079"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chakra-ui/zag/pull/2255"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chakra-ui/zag/commit/f53edc548f737aadfdd486a0043bdd5f5c068bbf"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/4778fc57084766b7b7fb6d25d20b7b9b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chakra-ui/zag"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@zag-js/core prototype pollution"
}

GHSA-FG52-5JJJ-28H7

Vulnerability from github – Published: 2024-06-17 15:30 – Updated: 2024-06-17 21:29
VLAI
Summary
@cdr0/sg Prototype Pollution
Details

A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cdr0/sg"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T21:29:55Z",
    "nvd_published_at": "2024-06-17T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.",
  "id": "GHSA-fg52-5jjj-28h7",
  "modified": "2024-06-17T21:29:55Z",
  "published": "2024-06-17T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/briancsparks/cdr0-sg/issues/11"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/a75d75eca4622ad08f7cfa903a6cc9c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/briancsparks/cdr0-sg"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "@cdr0/sg Prototype Pollution"
}

GHSA-FGQ5-VX4R-RG7C

Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-01 15:32
VLAI
Details

Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T21:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91)",
  "id": "GHSA-fgq5-vx4r-rg7c",
  "modified": "2024-08-01T15:32:15Z",
  "published": "2024-07-30T21:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38983"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/f82d0c3a8fe3a125f06425caef5d22ed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.