Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

779 vulnerabilities reference this CWE, most recent first.

GHSA-WXFJ-84XF-7GXV

Vulnerability from github – Published: 2023-02-28 06:30 – Updated: 2023-03-08 23:14
VLAI
Summary
mde utilities contains Prototype Pollution
Details

All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "utilities"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-06T21:55:12Z",
    "nvd_published_at": "2023-02-28T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.",
  "id": "GHSA-wxfj-84xf-7gxv",
  "modified": "2023-03-08T23:14:00Z",
  "published": "2023-02-28T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mde/utilities/issues/29"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-UTILITIES-3184491"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mde utilities contains Prototype Pollution"
}

GHSA-X2W5-725J-GF2G

Vulnerability from github – Published: 2022-04-20 16:21 – Updated: 2022-05-26 19:43
VLAI
Summary
Prototype Pollution in convict
Details

Impact

  • An attacker can inject attributes that are used in other components
  • An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.

Patches

The problem is patched in convict@6.2.3. Users should upgrade to convict@6.2.3.

Workarounds

No way for users to fix or remediate the vulnerability without upgrading

References

  • https://www.huntr.dev/bounties/1-npm-convict/
  • 384

  • 3b86be087d8f14681a9c889d45da7fe3ad9cd880
  • 1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75

For more information

If you have any questions or comments about this advisory: add your question as a comment in #384

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "convict"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-22143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-20T16:21:03Z",
    "nvd_published_at": "2022-05-01T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n* An attacker can inject attributes that are used in other components\n* An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.\n\nThe main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it\u0027s unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.\n\n### Patches\n\nThe problem is patched in `convict@6.2.3`. Users should upgrade to `convict@6.2.3`.\n\n### Workarounds\n\nNo way for users to fix or remediate the vulnerability without upgrading\n\n### References\n\n* https://www.huntr.dev/bounties/1-npm-convict/\n* #384\n* 3b86be087d8f14681a9c889d45da7fe3ad9cd880\n* 1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75\n\n### For more information\n\nIf you have any questions or comments about this advisory: \nadd your question as a comment in #384 \n",
  "id": "GHSA-x2w5-725j-gf2g",
  "modified": "2022-05-26T19:43:23Z",
  "published": "2022-04-20T16:21:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22143"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/pull/384"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/releases/tag/v6.2.2"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-CONVICT-2340604"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/1-npm-convict"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in convict"
}

GHSA-X3CC-X39P-42QX

Vulnerability from github – Published: 2023-06-13 12:44 – Updated: 2023-12-14 22:27
VLAI
Summary
fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name
Details

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-13T12:44:34Z",
    "nvd_published_at": "2023-12-12T17:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAs a part of this vulnerability, user was able to se code using `__proto__` as a tag or attribute name.\n\n```js\nconst { XMLParser, XMLBuilder, XMLValidator} = require(\"fast-xml-parser\");\n\nlet XMLdata = \"\u003c__proto__\u003e\u003cpolluted\u003ehacked\u003c/polluted\u003e\u003c/__proto__\u003e\"\n\nconst parser = new XMLParser();\nlet jObj = parser.parse(XMLdata);\n\nconsole.log(jObj.polluted) // should return hacked\n``` \n\n### Patches\nThe problem has been patched in v4.1.2\n\n### Workarounds\nUser can check for \"__proto__\" in the XML string before parsing it to the parser.\n\n### References\nhttps://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7\n",
  "id": "GHSA-x3cc-x39p-42qx",
  "modified": "2023-12-14T22:27:59Z",
  "published": "2023-06-13T12:44:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26920"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-793h-6f7r-6qvm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name"
}

GHSA-X3M3-4WPV-5VGC

Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-25 15:25
VLAI
Summary
jrburke requirejs vulnerable to prototype pollution
Details

jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "requirejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-10T16:50:19Z",
    "nvd_published_at": "2024-07-01T13:15:05Z",
    "severity": "HIGH"
  },
  "details": "jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function `s.contexts._.configure`. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-x3m3-4wpv-5vgc",
  "modified": "2024-07-25T15:25:40Z",
  "published": "2024-07-01T15:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38999"
    },
    {
      "type": "WEB",
      "url": "https://github.com/requirejs/r.js/issues/1015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/requirejs/requirejs/issues/1854"
    },
    {
      "type": "WEB",
      "url": "https://github.com/requirejs/requirejs/pull/1856/commits/ebd7a2ff71473542fa132d0d15c10fb4ed1539e1"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/requirejs/r.js"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-REQUIREJS-5416713"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "jrburke requirejs vulnerable to prototype pollution"
}

GHSA-X3WR-V4WX-5QPC

Vulnerability from github – Published: 2021-06-21 17:14 – Updated: 2022-06-29 20:41
VLAI
Summary
Prototype Pollution
Details

Prototype pollution vulnerability in ‘expand-hash’ versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "expand-hash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-14T19:29:17Z",
    "nvd_published_at": "2021-06-10T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u2018expand-hash\u2019 versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-x3wr-v4wx-5qpc",
  "modified": "2022-06-29T20:41:54Z",
  "published": "2021-06-21T17:14:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25948"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/doowb/expand-hash"
    },
    {
      "type": "WEB",
      "url": "https://github.com/doowb/expand-hash/blob/556913f6c2f05848110b5b8261cfc78e5ce3dc77/index.js#L19"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25948"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution"
}

GHSA-X5M8-2R8V-8F97

Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-03-29 22:05
VLAI
Summary
Prototype Pollution in libnested
Details

The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. Note: This vulnerability derives from an incomplete fix for CVE-2020-28283

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "libnested"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T22:57:55Z",
    "nvd_published_at": "2022-03-17T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930)",
  "id": "GHSA-x5m8-2r8v-8f97",
  "modified": "2022-03-29T22:05:38Z",
  "published": "2022-03-18T00:01:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25352"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dominictarr/libnested/commit/c1129865d75fbe52b5a4f755ad3110ca5420f2e1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dominictarr/libnested"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dominictarr/libnested/blob/master/index.js%23L22"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-LIBNESTED-2342117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in libnested"
}

GHSA-X5R6-X823-9848

Vulnerability from github – Published: 2021-05-10 19:15 – Updated: 2023-09-05 22:44
VLAI
Summary
Arbitrary Code Execution in json-ptr
Details

npm json-ptr before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the set operation when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "json-ptr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-400",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T23:01:34Z",
    "nvd_published_at": "2020-11-10T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "npm `json-ptr` before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the [set operation](https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.",
  "id": "GHSA-x5r6-x823-9848",
  "modified": "2023-09-05T22:44:45Z",
  "published": "2021-05-10T19:15:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/418sec/json-ptr/pull/3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flitbit/json-ptr/commit/2539e3494c80af1eef24f0f433654a61f255f011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSONPTR-1016939"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/2-npm-json-ptr"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/json-ptr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary Code Execution in json-ptr"
}

GHSA-X6HX-7GH3-3Q98

Vulnerability from github – Published: 2021-09-02 17:09 – Updated: 2021-08-25 18:25
VLAI
Summary
Prototype Pollution in mootools
Details

This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mootools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-25T18:25:11Z",
    "nvd_published_at": "2021-08-24T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()",
  "id": "GHSA-x6hx-7gh3-3q98",
  "modified": "2021-08-25T18:25:11Z",
  "published": "2021-09-02T17:09:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23432"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vsviridov/mootools-node"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-MOOTOOLS-1325536"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in mootools"
}

GHSA-X6P3-M6H9-FX7R

Vulnerability from github – Published: 2026-06-16 22:38 – Updated: 2026-06-16 22:38
VLAI
Summary
n8n: Microsoft SQL Node Prototype Pollution
Details

Impact

An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes Object.prototype process-wide for the lifetime of the n8n server process, causing application-wide validation failures and rendering the n8n instance completely non-functional until restarted.

Patches

The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Disable the Microsoft SQL node by adding n8n-nodes-base.microsoftSql to the NODES_EXCLUDE environment variable.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T22:38:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Impact\nAn authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes `Object.prototype` process-wide for the lifetime of the n8n server process, causing application-wide validation failures and rendering the n8n instance completely non-functional until restarted.\n\n## Patches\nThe issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Microsoft SQL node by adding `n8n-nodes-base.microsoftSql` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
  "id": "GHSA-x6p3-m6h9-fx7r",
  "modified": "2026-06-16T22:38:52Z",
  "published": "2026-06-16T22:38:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-x6p3-m6h9-fx7r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/n8n-io/n8n"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "n8n: Microsoft SQL Node Prototype Pollution"
}

GHSA-X72J-HV9F-QQH4

Vulnerability from github – Published: 2026-05-07 18:30 – Updated: 2026-05-12 16:18
VLAI
Summary
parse-ini is vulnerable to Prototype Pollution in index.js()
Details

npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-ini"
      },
      "versions": [
        "1.0.6"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-63703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T16:18:45Z",
    "nvd_published_at": "2026-05-07T16:16:17Z",
    "severity": "CRITICAL"
  },
  "details": "npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().",
  "id": "GHSA-x72j-hv9f-qqh4",
  "modified": "2026-05-12T16:18:45Z",
  "published": "2026-05-07T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63703"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/parse-ini?activeTab=code"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "parse-ini is vulnerable to Prototype Pollution in index.js()"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.