CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
779 vulnerabilities reference this CWE, most recent first.
GHSA-WXFJ-84XF-7GXV
Vulnerability from github – Published: 2023-02-28 06:30 – Updated: 2023-03-08 23:14All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "utilities"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26105"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-06T21:55:12Z",
"nvd_published_at": "2023-02-28T05:15:00Z",
"severity": "HIGH"
},
"details": "All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.",
"id": "GHSA-wxfj-84xf-7gxv",
"modified": "2023-03-08T23:14:00Z",
"published": "2023-02-28T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26105"
},
{
"type": "WEB",
"url": "https://github.com/mde/utilities/issues/29"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-UTILITIES-3184491"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "mde utilities contains Prototype Pollution"
}
GHSA-X2W5-725J-GF2G
Vulnerability from github – Published: 2022-04-20 16:21 – Updated: 2022-05-26 19:43Impact
- An attacker can inject attributes that are used in other components
- An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.
The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.
Patches
The problem is patched in convict@6.2.3. Users should upgrade to convict@6.2.3.
Workarounds
No way for users to fix or remediate the vulnerability without upgrading
References
- https://www.huntr.dev/bounties/1-npm-convict/
-
384
- 3b86be087d8f14681a9c889d45da7fe3ad9cd880
- 1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75
For more information
If you have any questions or comments about this advisory: add your question as a comment in #384
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "convict"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-22143"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-20T16:21:03Z",
"nvd_published_at": "2022-05-01T16:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\n* An attacker can inject attributes that are used in other components\n* An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.\n\nThe main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it\u0027s unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.\n\n### Patches\n\nThe problem is patched in `convict@6.2.3`. Users should upgrade to `convict@6.2.3`.\n\n### Workarounds\n\nNo way for users to fix or remediate the vulnerability without upgrading\n\n### References\n\n* https://www.huntr.dev/bounties/1-npm-convict/\n* #384\n* 3b86be087d8f14681a9c889d45da7fe3ad9cd880\n* 1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75\n\n### For more information\n\nIf you have any questions or comments about this advisory: \nadd your question as a comment in #384 \n",
"id": "GHSA-x2w5-725j-gf2g",
"modified": "2022-05-26T19:43:23Z",
"published": "2022-04-20T16:21:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22143"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/pull/384"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/releases/tag/v6.2.2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-CONVICT-2340604"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/1-npm-convict"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in convict"
}
GHSA-X3CC-X39P-42QX
Vulnerability from github – Published: 2023-06-13 12:44 – Updated: 2023-12-14 22:27Impact
As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.
const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");
let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"
const parser = new XMLParser();
let jObj = parser.parse(XMLdata);
console.log(jObj.polluted) // should return hacked
Patches
The problem has been patched in v4.1.2
Workarounds
User can check for "proto" in the XML string before parsing it to the parser.
References
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26920"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-13T12:44:34Z",
"nvd_published_at": "2023-12-12T17:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\nAs a part of this vulnerability, user was able to se code using `__proto__` as a tag or attribute name.\n\n```js\nconst { XMLParser, XMLBuilder, XMLValidator} = require(\"fast-xml-parser\");\n\nlet XMLdata = \"\u003c__proto__\u003e\u003cpolluted\u003ehacked\u003c/polluted\u003e\u003c/__proto__\u003e\"\n\nconst parser = new XMLParser();\nlet jObj = parser.parse(XMLdata);\n\nconsole.log(jObj.polluted) // should return hacked\n``` \n\n### Patches\nThe problem has been patched in v4.1.2\n\n### Workarounds\nUser can check for \"__proto__\" in the XML string before parsing it to the parser.\n\n### References\nhttps://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7\n",
"id": "GHSA-x3cc-x39p-42qx",
"modified": "2023-12-14T22:27:59Z",
"published": "2023-06-13T12:44:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26920"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804"
},
{
"type": "WEB",
"url": "https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-793h-6f7r-6qvm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name"
}
GHSA-X3M3-4WPV-5VGC
Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-25 15:25jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.6"
},
"package": {
"ecosystem": "npm",
"name": "requirejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38999"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-10T16:50:19Z",
"nvd_published_at": "2024-07-01T13:15:05Z",
"severity": "HIGH"
},
"details": "jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function `s.contexts._.configure`. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-x3m3-4wpv-5vgc",
"modified": "2024-07-25T15:25:40Z",
"published": "2024-07-01T15:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38999"
},
{
"type": "WEB",
"url": "https://github.com/requirejs/r.js/issues/1015"
},
{
"type": "WEB",
"url": "https://github.com/requirejs/requirejs/issues/1854"
},
{
"type": "WEB",
"url": "https://github.com/requirejs/requirejs/pull/1856/commits/ebd7a2ff71473542fa132d0d15c10fb4ed1539e1"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a"
},
{
"type": "PACKAGE",
"url": "https://github.com/requirejs/r.js"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-REQUIREJS-5416713"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "jrburke requirejs vulnerable to prototype pollution"
}
GHSA-X3WR-V4WX-5QPC
Vulnerability from github – Published: 2021-06-21 17:14 – Updated: 2022-06-29 20:41Prototype pollution vulnerability in ‘expand-hash’ versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "expand-hash"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25948"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-14T19:29:17Z",
"nvd_published_at": "2021-06-10T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u2018expand-hash\u2019 versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-x3wr-v4wx-5qpc",
"modified": "2022-06-29T20:41:54Z",
"published": "2021-06-21T17:14:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25948"
},
{
"type": "PACKAGE",
"url": "https://github.com/doowb/expand-hash"
},
{
"type": "WEB",
"url": "https://github.com/doowb/expand-hash/blob/556913f6c2f05848110b5b8261cfc78e5ce3dc77/index.js#L19"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25948"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution"
}
GHSA-X5M8-2R8V-8F97
Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-03-29 22:05The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. Note: This vulnerability derives from an incomplete fix for CVE-2020-28283
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "libnested"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25352"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-18T22:57:55Z",
"nvd_published_at": "2022-03-17T12:15:00Z",
"severity": "CRITICAL"
},
"details": "The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930)",
"id": "GHSA-x5m8-2r8v-8f97",
"modified": "2022-03-29T22:05:38Z",
"published": "2022-03-18T00:01:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25352"
},
{
"type": "WEB",
"url": "https://github.com/dominictarr/libnested/commit/c1129865d75fbe52b5a4f755ad3110ca5420f2e1"
},
{
"type": "PACKAGE",
"url": "https://github.com/dominictarr/libnested"
},
{
"type": "WEB",
"url": "https://github.com/dominictarr/libnested/blob/master/index.js%23L22"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-LIBNESTED-2342117"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in libnested"
}
GHSA-X5R6-X823-9848
Vulnerability from github – Published: 2021-05-10 19:15 – Updated: 2023-09-05 22:44npm json-ptr before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the set operation when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json-ptr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7766"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-400",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-19T23:01:34Z",
"nvd_published_at": "2020-11-10T16:15:00Z",
"severity": "HIGH"
},
"details": "npm `json-ptr` before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the [set operation](https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.",
"id": "GHSA-x5r6-x823-9848",
"modified": "2023-09-05T22:44:45Z",
"published": "2021-05-10T19:15:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7766"
},
{
"type": "WEB",
"url": "https://github.com/418sec/json-ptr/pull/3"
},
{
"type": "WEB",
"url": "https://github.com/flitbit/json-ptr/commit/2539e3494c80af1eef24f0f433654a61f255f011"
},
{
"type": "WEB",
"url": "https://github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPTR-1016939"
},
{
"type": "WEB",
"url": "https://www.huntr.dev/bounties/2-npm-json-ptr"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/json-ptr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary Code Execution in json-ptr"
}
GHSA-X6HX-7GH3-3Q98
Vulnerability from github – Published: 2021-09-02 17:09 – Updated: 2021-08-25 18:25This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mootools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23432"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-25T18:25:11Z",
"nvd_published_at": "2021-08-24T09:15:00Z",
"severity": "MODERATE"
},
"details": "This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()",
"id": "GHSA-x6hx-7gh3-3q98",
"modified": "2021-08-25T18:25:11Z",
"published": "2021-09-02T17:09:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23432"
},
{
"type": "PACKAGE",
"url": "https://github.com/vsviridov/mootools-node"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-MOOTOOLS-1325536"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in mootools"
}
GHSA-X6P3-M6H9-FX7R
Vulnerability from github – Published: 2026-06-16 22:38 – Updated: 2026-06-16 22:38Impact
An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes Object.prototype process-wide for the lifetime of the n8n server process, causing application-wide validation failures and rendering the n8n instance completely non-functional until restarted.
Patches
The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the Microsoft SQL node by adding n8n-nodes-base.microsoftSql to the NODES_EXCLUDE environment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54312"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T22:38:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Impact\nAn authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes `Object.prototype` process-wide for the lifetime of the n8n server process, causing application-wide validation failures and rendering the n8n instance completely non-functional until restarted.\n\n## Patches\nThe issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Microsoft SQL node by adding `n8n-nodes-base.microsoftSql` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
"id": "GHSA-x6p3-m6h9-fx7r",
"modified": "2026-06-16T22:38:52Z",
"published": "2026-06-16T22:38:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-x6p3-m6h9-fx7r"
},
{
"type": "PACKAGE",
"url": "https://github.com/n8n-io/n8n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "n8n: Microsoft SQL Node Prototype Pollution"
}
GHSA-X72J-HV9F-QQH4
Vulnerability from github – Published: 2026-05-07 18:30 – Updated: 2026-05-12 16:18npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-ini"
},
"versions": [
"1.0.6"
]
}
],
"aliases": [
"CVE-2025-63703"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T16:18:45Z",
"nvd_published_at": "2026-05-07T16:16:17Z",
"severity": "CRITICAL"
},
"details": "npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().",
"id": "GHSA-x72j-hv9f-qqh4",
"modified": "2026-05-12T16:18:45Z",
"published": "2026-05-07T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63703"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/parse-ini?activeTab=code"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "parse-ini is vulnerable to Prototype Pollution in index.js()"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.