Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

782 vulnerabilities reference this CWE, most recent first.

GHSA-7MG4-W3W5-X5PC

Vulnerability from github – Published: 2021-05-10 18:37 – Updated: 2025-03-05 19:04
VLAI
Summary
Prototype pollution in json-pointer
Details

This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "json-pointer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.webjars.npm:json-pointer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-21T21:10:19Z",
    "nvd_published_at": "2020-10-05T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.",
  "id": "GHSA-7mg4-w3w5-x5pc",
  "modified": "2025-03-05T19:04:37Z",
  "published": "2021-05-10T18:37:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7709"
    },
    {
      "type": "WEB",
      "url": "https://github.com/manuelstofer/json-pointer/pull/34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/manuelstofer/json-pointer/pull/34/files"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/manuelstofer/json-pointer"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-598862"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-596925"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/json-pointer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in json-pointer"
}

GHSA-7PPQ-3WW2-75F4

Vulnerability from github – Published: 2024-07-24 21:31 – Updated: 2024-07-24 21:31
VLAI
Details

A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-24T20:15:03Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.",
  "id": "GHSA-7ppq-3ww2-75f4",
  "modified": "2024-07-24T21:31:30Z",
  "published": "2024-07-24T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33519"
    },
    {
      "type": "WEB",
      "url": "https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04673.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PRF-VW4P-QR59

Vulnerability from github – Published: 2021-12-10 19:03 – Updated: 2021-06-22 15:45
VLAI
Summary
Prototype pollution in supermixer
Details

Prototype pollution in Stampit supermixer allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "supermixer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-24939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-17T18:46:22Z",
    "nvd_published_at": "2021-06-16T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Prototype pollution in Stampit supermixer allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.",
  "id": "GHSA-7prf-vw4p-qr59",
  "modified": "2021-06-22T15:45:35Z",
  "published": "2021-12-10T19:03:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24939"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stampit-org/supermixer/issues/9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stampit-org/supermixer/commit/94dcc6fc45e0fed96187cb52aaffadf76dbbc0a3"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/959987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stampit-org/supermixer/compare/v1.0.4...v1.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in supermixer"
}

GHSA-7PVX-4585-HQWW

Vulnerability from github – Published: 2023-11-24 21:30 – Updated: 2023-12-01 22:37
VLAI
Summary
sequelize-typescript Prototype Pollution vulnerability
Details

Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sequelize-typescript"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-01T22:37:52Z",
    "nvd_published_at": "2023-11-24T20:15:07Z",
    "severity": "HIGH"
  },
  "details": "Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.",
  "id": "GHSA-7pvx-4585-hqww",
  "modified": "2023-12-01T22:37:52Z",
  "published": "2023-11-24T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robinbuschmann/sequelize-typescript/commit/5ce8afdd1671b08c774ce106b000605ba8fccf78"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/robinbuschmann/sequelize-typescript"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/36a7ecbf-4d3d-462e-86a3-cda7b1ec64e2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sequelize-typescript Prototype Pollution vulnerability"
}

GHSA-7PX2-3C2P-Q4V4

Vulnerability from github – Published: 2023-06-30 06:30 – Updated: 2023-06-30 20:38
VLAI
Summary
flatnest Prototype Pollution vulnerability
Details

All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in flatnest/nest.js file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flatnest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-30T20:38:36Z",
    "nvd_published_at": "2023-06-30T05:15:09Z",
    "severity": "HIGH"
  },
  "details": "All versions of the package flatnest are vulnerable to Prototype Pollution via the `nest()` function in `flatnest/nest.js` file.",
  "id": "GHSA-7px2-3c2p-q4v4",
  "modified": "2023-06-30T20:38:36Z",
  "published": "2023-06-30T06:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26135"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brycebaril/node-flatnest/issues/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brycebaril/node-flatnest/commit/27d569baf9d9d25677640edeaf2d13af165868d6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/brycebaril/node-flatnest"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brycebaril/node-flatnest/blob/b7d97ec64a04632378db87fcf3577bd51ac3ee39/nest.js#L43"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brycebaril/node-flatnest/blob/b7d97ec64a04632378db87fcf3577bd51ac3ee39/nest.js%23L43"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-FLATNEST-3185149"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "flatnest Prototype Pollution vulnerability"
}

GHSA-7QGG-VW88-CC99

Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-09-03 15:22
VLAI
Summary
utils-extend Prototype Pollution
Details

The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

PoC

async function exploit() {
   const utilsextend = require(\"utils-extend\");
   const payload = JSON.parse('{\"__proto__\":{\"exploited\":true}}');
   const result = await utilsextend.extend({}, payload);
}

await exploit();
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "utils-extend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-57077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-06T23:31:52Z",
    "nvd_published_at": "2025-02-05T22:15:31Z",
    "severity": "CRITICAL"
  },
  "details": "The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.\n\n## PoC\n```js\nasync function exploit() {\n   const utilsextend = require(\\\"utils-extend\\\");\n   const payload = JSON.parse(\u0027{\\\"__proto__\\\":{\\\"exploited\\\":true}}\u0027);\n   const result = await utilsextend.extend({}, payload);\n}\n\nawait exploit();\n```",
  "id": "GHSA-7qgg-vw88-cc99",
  "modified": "2025-09-03T15:22:41Z",
  "published": "2025-02-06T06:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57077"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/tariqhawis/64bac50f8c2706e6880e45d50a507114"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/douzi8/utils-extend"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "utils-extend Prototype Pollution"
}

GHSA-7QM6-9V49-38M9

Vulnerability from github – Published: 2021-12-10 18:55 – Updated: 2023-09-11 18:40
VLAI
Summary
Prototype Pollution in record-like-deep-assign
Details

All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.

PoC

const deepAssign = require('record-like-deep-assign');
let obj = {};
console.log("Before being polluted: " + obj.polluted);
EVIL_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
deepAssign({}, EVIL_JSON);
console.log("After being polluted: " + obj.polluted);
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "record-like-deep-assign"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-06T14:32:33Z",
    "nvd_published_at": "2021-07-02T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.\n\n### PoC\n```js\nconst deepAssign = require(\u0027record-like-deep-assign\u0027);\nlet obj = {};\nconsole.log(\"Before being polluted: \" + obj.polluted);\nEVIL_JSON = JSON.parse(\u0027{\"__proto__\":{\"polluted\":true}}\u0027);\ndeepAssign({}, EVIL_JSON);\nconsole.log(\"After being polluted: \" + obj.polluted);\n```",
  "id": "GHSA-7qm6-9v49-38m9",
  "modified": "2023-09-11T18:40:49Z",
  "published": "2021-12-10T18:55:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23402"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kripod/record-like-deep-assign"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kripod/record-like-deep-assign/blob/v1.0.1/src/mod.ts%23L17-L35"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-RECORDLIKEDEEPASSIGN-1311024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in record-like-deep-assign"
}

GHSA-7QQQ-GH2F-WQ76

Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-15 20:13
VLAI
Summary
ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution
Details

The package ts-deepmerge before version 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the merge function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ts-deepmerge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-11T18:13:21Z",
    "nvd_published_at": "2022-08-09T05:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package ts-deepmerge before version 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the `merge` function.",
  "id": "GHSA-7qqq-gh2f-wq76",
  "modified": "2022-08-15T20:13:34Z",
  "published": "2022-08-10T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25907"
    },
    {
      "type": "WEB",
      "url": "https://github.com/voodoocreation/ts-deepmerge/commit/9be5148773343c57be9de39728d6ead18eddf10b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/voodoocreation/ts-deepmerge"
    },
    {
      "type": "WEB",
      "url": "https://github.com/voodoocreation/ts-deepmerge/releases/tag/2.0.2"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-2959975"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution"
}

GHSA-7RX3-28CR-V5WH

Vulnerability from github – Published: 2026-03-29 15:17 – Updated: 2026-03-29 15:17
VLAI
Summary
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
Details

Summary

The prototype method blocklist in lib/handlebars/internal/proto-access.js blocks constructor, __defineGetter__, __defineSetter__, and __lookupGetter__, but omits the symmetric __lookupSetter__. This omission is only exploitable when the non-default runtime option allowProtoMethodsByDefault: true is explicitly set — in that configuration __lookupSetter__ becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.

4.6.0 is the version that introduced protoAccessControl and the allowProtoMethodsByDefault runtime option.

Description

In lib/handlebars/internal/proto-access.js:

const methodWhiteList = Object.create(null);
methodWhiteList['constructor']      = false;
methodWhiteList['__defineGetter__'] = false;
methodWhiteList['__defineSetter__'] = false;
methodWhiteList['__lookupGetter__'] = false;
// __lookupSetter__ intentionally blocked in CVE-2021-23383,
// but omitted here — creating an asymmetric blocklist

All four legacy accessor helpers (__defineGetter__, __defineSetter__, __lookupGetter__, __lookupSetter__) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; __lookupSetter__ was left out.

When allowProtoMethodsByDefault: true is set, any prototype method not present in methodWhiteList is permitted by default. Because __lookupSetter__ is absent from the list, it passes the checkWhiteList check and is accessible in templates, while __lookupGetter__ (its sibling) is correctly denied.

Workarounds

  • Do not set allowProtoMethodsByDefault: true. The default configuration is not affected.
  • If allowProtoMethodsByDefault must be enabled, ensure templates do not reference __lookupSetter__ through untrusted input.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.7.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "handlebars"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.6.0"
            },
            {
              "fixed": "4.7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:17:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric `__lookupSetter__`. This omission is only exploitable when the non-default runtime option `allowProtoMethodsByDefault: true` is explicitly set \u2014 in that configuration `__lookupSetter__` becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.\n\n`4.6.0` is the version that introduced `protoAccessControl` and the `allowProtoMethodsByDefault` runtime option.\n\n## Description\n\nIn `lib/handlebars/internal/proto-access.js`:\n\n```javascript\nconst methodWhiteList = Object.create(null);\nmethodWhiteList[\u0027constructor\u0027]      = false;\nmethodWhiteList[\u0027__defineGetter__\u0027] = false;\nmethodWhiteList[\u0027__defineSetter__\u0027] = false;\nmethodWhiteList[\u0027__lookupGetter__\u0027] = false;\n// __lookupSetter__ intentionally blocked in CVE-2021-23383,\n// but omitted here \u2014 creating an asymmetric blocklist\n```\n\nAll four legacy accessor helpers (`__defineGetter__`, `__defineSetter__`, `__lookupGetter__`, `__lookupSetter__`) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; `__lookupSetter__` was left out.\n\nWhen `allowProtoMethodsByDefault: true` is set, any prototype method **not present** in `methodWhiteList` is permitted by default. Because `__lookupSetter__` is absent from the list, it passes the `checkWhiteList` check and is accessible in templates, while `__lookupGetter__` (its sibling) is correctly denied.\n\n## Workarounds\n\n- Do **not** set `allowProtoMethodsByDefault: true`. The default configuration is not affected.\n- If `allowProtoMethodsByDefault` must be enabled, ensure templates do not reference  `__lookupSetter__` through untrusted input.",
  "id": "GHSA-7rx3-28cr-v5wh",
  "modified": "2026-03-29T15:17:15Z",
  "published": "2026-03-29T15:17:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-765h-qjxv-5f44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/handlebars-lang/handlebars.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry"
}

GHSA-7VRV-5M2H-RJW9

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-08-06 09:36
VLAI
Summary
ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`
Details

This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ion-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28462"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-06T09:36:29Z",
    "nvd_published_at": "2022-07-25T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with `parse` , they will pollute the prototype on the application. This can be exploited further depending on the context.",
  "id": "GHSA-7vrv-5m2h-rjw9",
  "modified": "2022-08-06T09:36:29Z",
  "published": "2022-07-26T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28462"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-IONPARSER-1048971"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.