Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

785 vulnerabilities reference this CWE, most recent first.

GHSA-P3HC-FV2J-RP68

Vulnerability from github – Published: 2021-05-10 15:36 – Updated: 2021-05-07 17:34
VLAI
Summary
Prototype Pollution in swiper
Details

Versions of the package swiper before 6.5.1 are susceptible to prototype pollution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "swiper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-07T17:34:38Z",
    "nvd_published_at": "2021-04-12T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Versions of the package swiper before 6.5.1 are susceptible to prototype pollution.",
  "id": "GHSA-p3hc-fv2j-rp68",
  "modified": "2021-05-07T17:34:38Z",
  "published": "2021-05-10T15:36:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23370"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nolimits4web/Swiper/commit/ec358deab79a8cd2529465f07a0ead5dbcc264ad"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nolimits4web/swiper/commit/9dad2739b7474f383474773d5ab898a0c29ac178"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nolimits4web/swiper/blob/master/CHANGELOG.md#651-2021-03-29"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1244698"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1244699"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBNOLIMITS4WEB-1244697"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244696"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SWIPER-1088062"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in swiper"
}

GHSA-P3PG-64PV-V7JG

Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2022-05-20 20:48
VLAI
Summary
Prototype Pollution in jsgui-lang-essentials
Details

All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsgui-lang-essentials"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-20T20:48:37Z",
    "nvd_published_at": "2022-05-01T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of package `jsgui-lang-essentials` are vulnerable to Prototype Pollution due to allowing all `Object` attributes to be altered, including their magical attributes such as `proto`, `constructor` and `prototype`.",
  "id": "GHSA-p3pg-64pv-v7jg",
  "modified": "2022-05-20T20:48:37Z",
  "published": "2022-05-03T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25301"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metabench/jsgui-lang-essentials/issues/1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/metabench/jsgui-lang-essentials"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSGUILANGESSENTIALS-2316897"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in jsgui-lang-essentials"
}

GHSA-P3VF-V8QC-CWCR

Vulnerability from github – Published: 2024-10-31 14:23 – Updated: 2025-11-03 21:31
VLAI
Summary
DOMPurify vulnerable to tampering by prototype polution
Details

dompurify was vulnerable to prototype pollution

Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dompurify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-48910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-31T14:23:34Z",
    "nvd_published_at": "2024-10-31T15:15:15Z",
    "severity": "CRITICAL"
  },
  "details": "dompurify was vulnerable to prototype pollution\n\nFixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc",
  "id": "GHSA-p3vf-v8qc-cwcr",
  "modified": "2025-11-03T21:31:29Z",
  "published": "2024-10-31T14:23:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48910"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cure53/DOMPurify"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DOMPurify vulnerable to tampering by prototype polution"
}

GHSA-P495-JXH2-WRFG

Vulnerability from github – Published: 2022-12-15 21:30 – Updated: 2022-12-20 18:53
VLAI
Summary
npm package rfc6902 vulnerable to Prototype Pollution
Details

A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "rfc6902"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-15T23:29:47Z",
    "nvd_published_at": "2022-12-15T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883.",
  "id": "GHSA-p495-jxh2-wrfg",
  "modified": "2022-12-20T18:53:51Z",
  "published": "2022-12-15T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4245"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chbrown/rfc6902/issues/84"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chbrown/rfc6902/pull/76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chbrown/rfc6902/commit/c006ce9faa43d31edb34924f1df7b79c137096cf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chbrown/rfc6902"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.215883"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "npm package rfc6902 vulnerable to Prototype Pollution"
}

GHSA-P5G9-RJCF-95VJ

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-08 14:49
VLAI
Summary
fastest-json-copy vulnerable to Prototype Pollution
Details

fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the __proto__ property to be edited.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fastest-json-copy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T14:49:19Z",
    "nvd_published_at": "2022-11-03T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the `__proto__` property to be edited.",
  "id": "GHSA-p5g9-rjcf-95vj",
  "modified": "2022-11-08T14:49:19Z",
  "published": "2022-11-04T12:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41714"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/guetta"
    },
    {
      "type": "WEB",
      "url": "https://github.com/streamich/fastest-json-copy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fastest-json-copy vulnerable to Prototype Pollution"
}

GHSA-P5M3-27VH-52J4

Vulnerability from github – Published: 2022-10-26 12:00 – Updated: 2022-10-31 19:25
VLAI
Summary
Feather-Sequelize cleanQuery method vulnerable to Prototype Pollution
Details

Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "feathers-sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-31T19:25:00Z",
    "nvd_published_at": "2022-10-26T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.",
  "id": "GHSA-p5m3-27vh-52j4",
  "modified": "2022-10-31T19:25:00Z",
  "published": "2022-10-26T12:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29823"
    },
    {
      "type": "WEB",
      "url": "https://github.com/feathersjs-ecosystem/feathers-sequelize/commit/0b7beaa773dc313fdb27edd9ee8115064d7cf114"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2022-29823"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/DIVD-2022-00020"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/cases/DIVD-2022-00020"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/cves/CVE-2022-29823"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/feathersjs-ecosystem/feathers-sequelize"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Feather-Sequelize cleanQuery method vulnerable to Prototype Pollution"
}

GHSA-P6H4-93QP-JHCM

Vulnerability from github – Published: 2022-03-11 23:53 – Updated: 2022-04-19 18:24
VLAI
Summary
Command injection in Parse Server through prototype pollution
Details

Impact

This is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.

Patches

Upgrade to Parse Server >=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment.

Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.

Workarounds

Although the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in index.js.

const BSON = require('bson');
 const internalDeserialize = BSON.prototype.deserialize;
 BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) => {
   if (options.constructor) {
     options = Object.assign(Object.create(null), options);
   }
   return internalDeserialize(buffer, options, ...others);
 };
 const internalDeserializeStream = BSON.prototype.deserializeStream;
 BSON.prototype.deserializeStream = (
   data,
   startIndex,
   numberOfDocuments,
   documents,
   docStartIndex,
   options = Object.create(null),
   ...others
 ) => {
   if (options.constructor) {
     options = Object.assign(Object.create(null), options);
   }
   return internalDeserializeStream(
     data,
     startIndex,
     numberOfDocuments,
     documents,
     docStartIndex,
     options,
     ...others
   );
 };

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-11T23:53:23Z",
    "nvd_published_at": "2022-03-12T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThis is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows.\n\n### Patches\nUpgrade to Parse Server \u003e=4.10.7. If you are using a prerelease version of Parse Server 5.0 (alpha, beta) we will publish a timely fix for these. However, as a general reminder we do not consider prerelease versions to be suitable for production deployment.\n\nNote that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code `400` and Parse Error `105` (`INVALID_KEY_NAME`). By default these keywords are: `{_bsontype: \"Code\"}`, `constructor`, `__proto__`. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option `requestKeywordDenylist` to `[]` and specify your own keywords as needed.\n\n### Workarounds\nAlthough the fix is more broad and includes several aspects of the vulnerability, a quick and targeted fix can be achieved by patching the MongoDB Node.js driver and disable BSON code execution. To apply the patch, add the following code to be executed before starting Parse Server, for example in `index.js`.\n\n```\nconst BSON = require(\u0027bson\u0027);\n const internalDeserialize = BSON.prototype.deserialize;\n BSON.prototype.deserialize = (buffer, options = Object.create(null), ...others) =\u003e {\n   if (options.constructor) {\n     options = Object.assign(Object.create(null), options);\n   }\n   return internalDeserialize(buffer, options, ...others);\n };\n const internalDeserializeStream = BSON.prototype.deserializeStream;\n BSON.prototype.deserializeStream = (\n   data,\n   startIndex,\n   numberOfDocuments,\n   documents,\n   docStartIndex,\n   options = Object.create(null),\n   ...others\n ) =\u003e {\n   if (options.constructor) {\n     options = Object.assign(Object.create(null), options);\n   }\n   return internalDeserializeStream(\n     data,\n     startIndex,\n     numberOfDocuments,\n     documents,\n     docStartIndex,\n     options,\n     ...others\n   );\n };\n```\n\n### References\n- Original report on [huntr.dev](https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099/)\n",
  "id": "GHSA-p6h4-93qp-jhcm",
  "modified": "2022-04-19T18:24:25Z",
  "published": "2022-03-11T23:53:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p6h4-93qp-jhcm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24760"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/886bfd7cac69496e3f73d4bb536f0eec3cba0e4d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/ac24b343-e7da-4bc7-ab38-4f4f5cc9d099"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Command injection in Parse Server through prototype pollution"
}

GHSA-P6JH-P7Q8-PCRG

Vulnerability from github – Published: 2021-05-06 18:26 – Updated: 2021-05-05 17:59
VLAI
Summary
Prototype Pollution in nodee-utils
Details

All versions of package nodee-utils below version 1.2.3 are vulnerable to Prototype Pollution via the deepSet function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nodee-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T17:59:12Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package nodee-utils below version 1.2.3 are vulnerable to Prototype Pollution via the deepSet function.",
  "id": "GHSA-p6jh-p7q8-pcrg",
  "modified": "2021-05-05T17:59:12Z",
  "published": "2021-05-06T18:26:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodee-apps/utils/commit/52460d936c52f03c9907bc99ac5e890970cef83c"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-NODEEUTILS-598679"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in nodee-utils"
}

GHSA-P6MC-M468-83GW

Vulnerability from github – Published: 2020-07-15 19:15 – Updated: 2025-08-12 21:43
VLAI
Summary
Prototype Pollution in lodash
Details

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "4.17.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash-es"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "4.17.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.pick"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "last_affected": "4.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.set"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "last_affected": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.setwith"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.update"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.updatewith"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "lodash-rails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "4.17.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-15T19:14:58Z",
    "nvd_published_at": "2020-07-15T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.",
  "id": "GHSA-p6mc-m468-83gw",
  "modified": "2025-08-12T21:43:38Z",
  "published": "2020-07-15T19:15:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/issues/4744"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/issues/4874"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/2884"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/712065"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/864701"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lodash/lodash"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200724-0006"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in lodash"
}

GHSA-P6W8-VQV9-2HXJ

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-12-02 21:30
VLAI
Details

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-07T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Import module by a Regular user.",
  "id": "GHSA-p6w8-vqv9-2hxj",
  "modified": "2022-12-02T21:30:46Z",
  "published": "2022-05-24T16:58:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17316"
    },
    {
      "type": "WEB",
      "url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-043"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.