CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-7358-GFXQ-387J
Vulnerability from github – Published: 2024-08-29 03:30 – Updated: 2024-08-29 21:31Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function.
{
"affected": [],
"aliases": [
"CVE-2024-45435"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-29T03:15:05Z",
"severity": "CRITICAL"
},
"details": "Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function.",
"id": "GHSA-7358-gfxq-387j",
"modified": "2024-08-29T21:31:03Z",
"published": "2024-08-29T03:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45435"
},
{
"type": "WEB",
"url": "https://github.com/chartist-js/chartist/issues/1427"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/c67177164d3b7975210caddb25b60d62"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-737V-MQG7-C878
Vulnerability from github – Published: 2026-04-04 06:17 – Updated: 2026-04-06 23:42Impact
Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to defu() are vulnerable to prototype pollution.
A crafted payload containing a __proto__ key can override intended default values in the merged result:
import { defu } from 'defu'
const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}')
const config = defu(userInput, { isAdmin: false })
config.isAdmin // true — attacker overrides the server default
Root Cause
The internal _defu function used Object.assign({}, defaults) to copy the defaults object. Object.assign invokes the __proto__ setter, which replaces the resulting object's [[Prototype]] with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing __proto__ key guard in the for...in loop and land in the final result.
Fix
Replace Object.assign({}, defaults) with object spread ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the __proto__ setter.
Affected Versions
<= 6.1.4
Credits
Reported by @BlackHatExploitation
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.1.4"
},
"package": {
"ecosystem": "npm",
"name": "defu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35209"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:17:53Z",
"nvd_published_at": "2026-04-06T18:16:44Z",
"severity": "HIGH"
},
"details": "### Impact\n\nApplications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution.\n\nA crafted payload containing a `__proto__` key can override intended default values in the merged result:\n\n```js\nimport { defu } from \u0027defu\u0027\n\nconst userInput = JSON.parse(\u0027{\"__proto__\":{\"isAdmin\":true}}\u0027)\nconst config = defu(userInput, { isAdmin: false })\n\nconfig.isAdmin // true \u2014 attacker overrides the server default\n```\n\n### Root Cause\n\nThe internal `_defu` function used `Object.assign({}, defaults)` to copy the defaults object. `Object.assign` invokes the `__proto__` setter, which replaces the resulting object\u0027s `[[Prototype]]` with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing `__proto__` key guard in the `for...in` loop and land in the final result.\n\n### Fix\n\nReplace `Object.assign({}, defaults)` with object spread (`{ ...defaults }`), which uses `[[DefineOwnProperty]]` and does not invoke the `__proto__` setter.\n\n### Affected Versions\n\n\u003c= 6.1.4\n\n### Credits\n\nReported by [@BlackHatExploitation](https://github.com/BlackHatExploitation)",
"id": "GHSA-737v-mqg7-c878",
"modified": "2026-04-06T23:42:28Z",
"published": "2026-04-04T06:17:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://github.com/unjs/defu/pull/156"
},
{
"type": "WEB",
"url": "https://github.com/unjs/defu/commit/3942bfbbcaa72084bd4284846c83bd61ed7c8b29"
},
{
"type": "PACKAGE",
"url": "https://github.com/unjs/defu"
},
{
"type": "WEB",
"url": "https://github.com/unjs/defu/releases/tag/v6.1.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "defu: Prototype pollution via `__proto__` key in defaults argument"
}
GHSA-74CR-77XC-8G6R
Vulnerability from github – Published: 2019-06-13 20:37 – Updated: 2021-08-16 15:28Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge() to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.
Recommendation
Upgrade to version 0.6.2 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@apollo/gateway"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2019-06-13T20:37:08Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `@apollo/gateway` prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge() to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.\n\n\n## Recommendation\n\nUpgrade to version 0.6.2 or later.\n",
"id": "GHSA-74cr-77xc-8g6r",
"modified": "2021-08-16T15:28:22Z",
"published": "2019-06-13T20:37:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apollographql/apollo-server/pull/2779"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/apollo-server/commit/cea7397582a293af6a5f60947da34b95e669c6c1"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-APOLLOGATEWAY-174915"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/917"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in @apollo/gateway"
}
GHSA-75MV-GP69-2CQM
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-12-02 21:30SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.
{
"affected": [],
"aliases": [
"CVE-2019-17315"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-07T15:15:00Z",
"severity": "MODERATE"
},
"details": "SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the Administration module by an Admin user.",
"id": "GHSA-75mv-gp69-2cqm",
"modified": "2022-12-02T21:30:46Z",
"published": "2022-05-24T16:58:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17315"
},
{
"type": "WEB",
"url": "https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2019-042"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-75PX-5XX7-5XC7
Vulnerability from github – Published: 2026-05-12 15:01 – Updated: 2026-05-14 20:35Summary
protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.
This could cause attacker-controlled strings to be emitted into generated JavaScript code.
Impact
An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.
This issue requires a separate prototype pollution primitive before protobufjs is invoked.
Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.
Preconditions
- The application or one of its dependencies must allow an attacker to pollute
Object.prototype. - The polluted property must affect protobufjs internal type lookup behavior.
- The application must use protobufjs functionality that generates encode or decode code for affected types.
- The generated code path must be reached after the prototype pollution has occurred.
Workarounds
Avoid running affected versions in applications where attacker-controlled input can pollute Object.prototype. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.5"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.1"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44291"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T15:01:24Z",
"nvd_published_at": "2026-05-13T16:16:55Z",
"severity": "HIGH"
},
"details": "## Summary\n\nprotobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If `Object.prototype` had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.\n\nThis could cause attacker-controlled strings to be emitted into generated JavaScript code.\n\n## Impact\n\nAn attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.\n\nThis issue requires a separate prototype pollution primitive before protobufjs is invoked.\n\nApplications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.\n\n## Preconditions\n\n- The application or one of its dependencies must allow an attacker to pollute `Object.prototype`.\n- The polluted property must affect protobufjs internal type lookup behavior.\n- The application must use protobufjs functionality that generates encode or decode code for affected types.\n- The generated code path must be reached after the prototype pollution has occurred.\n\n## Workarounds\n\nAvoid running affected versions in applications where attacker-controlled input can pollute `Object.prototype`. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.",
"id": "GHSA-75px-5xx7-5xc7",
"modified": "2026-05-14T20:35:15Z",
"published": "2026-05-12T15:01:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44291"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "protobuf.js: Code generation gadget after prototype pollution"
}
GHSA-765H-QJXV-5F44
Vulnerability from github – Published: 2022-02-10 23:51 – Updated: 2023-11-29 20:30The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "handlebars"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23383"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-19T21:17:59Z",
"nvd_published_at": "2021-05-04T09:15:00Z",
"severity": "CRITICAL"
},
"details": "The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.",
"id": "GHSA-765h-qjxv-5f44",
"modified": "2023-11-29T20:30:56Z",
"published": "2022-02-10T23:51:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383"
},
{
"type": "WEB",
"url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"
},
{
"type": "PACKAGE",
"url": "https://github.com/handlebars-lang/handlebars.js"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210618-0007"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/handlebars"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in handlebars"
}
GHSA-76G8-235F-GJ6P
Vulnerability from github – Published: 2025-09-25 15:30 – Updated: 2025-09-26 13:04A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dref"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-26278"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-26T13:04:47Z",
"nvd_published_at": "2025-09-25T14:15:43Z",
"severity": "HIGH"
},
"details": "A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
"id": "GHSA-76g8-235f-gj6p",
"modified": "2025-09-26T13:04:47Z",
"published": "2025-09-25T15:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26278"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/ad92d5e683f3a5d83e0629955ff42ad7"
},
{
"type": "WEB",
"url": "https://github.com/OrangeShieldInfos/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-26278"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "dref is vulnerable to prototype pollution"
}
GHSA-76P3-8JX3-JPFQ
Vulnerability from github – Published: 2022-10-13 12:00 – Updated: 2022-11-04 20:29Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "loader-utils"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "loader-utils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37601"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-04T20:29:12Z",
"nvd_published_at": "2022-10-12T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.",
"id": "GHSA-76p3-8jx3-jpfq",
"modified": "2022-11-04T20:29:12Z",
"published": "2022-10-13T12:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37601"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/issues/212"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/issues/212#issuecomment-1319192884"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/pull/217"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/pull/220"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/commit/4504e34c4796a5836ef70458327351675aed48a5"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/commit/f4e48a232fae900237c3e5ff7b57ce9e1c734de1"
},
{
"type": "WEB",
"url": "https://dl.acm.org/doi/abs/10.1145/3488932.3497769"
},
{
"type": "WEB",
"url": "https://dl.acm.org/doi/pdf/10.1145/3488932.3497769"
},
{
"type": "PACKAGE",
"url": "https://github.com/webpack/loader-utils"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/releases/tag/v1.4.1"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/releases/tag/v2.0.3"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00044.html"
},
{
"type": "WEB",
"url": "http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in webpack loader-utils"
}
GHSA-776F-QX25-Q3CC
Vulnerability from github – Published: 2023-04-05 21:30 – Updated: 2025-02-13 22:08xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "xml2js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0842"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-07T21:00:54Z",
"nvd_published_at": "2023-04-05T20:15:00Z",
"severity": "MODERATE"
},
"details": "xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.",
"id": "GHSA-776f-qx25-q3cc",
"modified": "2025-02-13T22:08:55Z",
"published": "2023-04-05T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0842"
},
{
"type": "WEB",
"url": "https://github.com/Leonidas-from-XIV/node-xml2js/issues/663"
},
{
"type": "WEB",
"url": "https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/myers"
},
{
"type": "PACKAGE",
"url": "https://github.com/Leonidas-from-XIV/node-xml2js"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "xml2js is vulnerable to prototype pollution"
}
GHSA-779F-WGXG-QR8F
Vulnerability from github – Published: 2020-09-03 18:10 – Updated: 2020-08-31 18:46Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.6.2 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "lodash.mergewith"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T18:46:16Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `lodash.mergewith` before 4.6.2 are vulnerable to prototype pollution. The function `mergeWith` may allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.6.2 or later.",
"id": "GHSA-779f-wgxg-qr8f",
"modified": "2020-08-31T18:46:16Z",
"published": "2020-09-03T18:10:22Z",
"references": [
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1071"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Prototype Pollution in lodash.mergewith"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.