CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
782 vulnerabilities reference this CWE, most recent first.
GHSA-7MG4-W3W5-X5PC
Vulnerability from github – Published: 2021-05-10 18:37 – Updated: 2025-03-05 19:04This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json-pointer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.webjars.npm:json-pointer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7709"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-21T21:10:19Z",
"nvd_published_at": "2020-10-05T08:15:00Z",
"severity": "MODERATE"
},
"details": "This affects the package json-pointer before 0.6.1. Multiple reference of object using slash is supported.",
"id": "GHSA-7mg4-w3w5-x5pc",
"modified": "2025-03-05T19:04:37Z",
"published": "2021-05-10T18:37:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7709"
},
{
"type": "WEB",
"url": "https://github.com/manuelstofer/json-pointer/pull/34"
},
{
"type": "WEB",
"url": "https://github.com/manuelstofer/json-pointer/pull/34/files"
},
{
"type": "PACKAGE",
"url": "https://github.com/manuelstofer/json-pointer"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-598862"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-JSONPOINTER-596925"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/json-pointer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in json-pointer"
}
GHSA-7PPQ-3WW2-75F4
Vulnerability from github – Published: 2024-07-24 21:31 – Updated: 2024-07-24 21:31A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.
{
"affected": [],
"aliases": [
"CVE-2024-33519"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-24T20:15:03Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.",
"id": "GHSA-7ppq-3ww2-75f4",
"modified": "2024-07-24T21:31:30Z",
"published": "2024-07-24T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33519"
},
{
"type": "WEB",
"url": "https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04673.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7PRF-VW4P-QR59
Vulnerability from github – Published: 2021-12-10 19:03 – Updated: 2021-06-22 15:45Prototype pollution in Stampit supermixer allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "supermixer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-24939"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-17T18:46:22Z",
"nvd_published_at": "2021-06-16T16:15:00Z",
"severity": "HIGH"
},
"details": "Prototype pollution in Stampit supermixer allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.",
"id": "GHSA-7prf-vw4p-qr59",
"modified": "2021-06-22T15:45:35Z",
"published": "2021-12-10T19:03:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24939"
},
{
"type": "WEB",
"url": "https://github.com/stampit-org/supermixer/issues/9"
},
{
"type": "WEB",
"url": "https://github.com/stampit-org/supermixer/commit/94dcc6fc45e0fed96187cb52aaffadf76dbbc0a3"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/959987"
},
{
"type": "WEB",
"url": "https://github.com/stampit-org/supermixer/compare/v1.0.4...v1.0.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in supermixer"
}
GHSA-7PVX-4585-HQWW
Vulnerability from github – Published: 2023-11-24 21:30 – Updated: 2023-12-01 22:37Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sequelize-typescript"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-6293"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-01T22:37:52Z",
"nvd_published_at": "2023-11-24T20:15:07Z",
"severity": "HIGH"
},
"details": "Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.",
"id": "GHSA-7pvx-4585-hqww",
"modified": "2023-12-01T22:37:52Z",
"published": "2023-11-24T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6293"
},
{
"type": "WEB",
"url": "https://github.com/robinbuschmann/sequelize-typescript/commit/5ce8afdd1671b08c774ce106b000605ba8fccf78"
},
{
"type": "PACKAGE",
"url": "https://github.com/robinbuschmann/sequelize-typescript"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/36a7ecbf-4d3d-462e-86a3-cda7b1ec64e2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "sequelize-typescript Prototype Pollution vulnerability"
}
GHSA-7PX2-3C2P-Q4V4
Vulnerability from github – Published: 2023-06-30 06:30 – Updated: 2023-06-30 20:38All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in flatnest/nest.js file.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "flatnest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26135"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-30T20:38:36Z",
"nvd_published_at": "2023-06-30T05:15:09Z",
"severity": "HIGH"
},
"details": "All versions of the package flatnest are vulnerable to Prototype Pollution via the `nest()` function in `flatnest/nest.js` file.",
"id": "GHSA-7px2-3c2p-q4v4",
"modified": "2023-06-30T20:38:36Z",
"published": "2023-06-30T06:30:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26135"
},
{
"type": "WEB",
"url": "https://github.com/brycebaril/node-flatnest/issues/4"
},
{
"type": "WEB",
"url": "https://github.com/brycebaril/node-flatnest/commit/27d569baf9d9d25677640edeaf2d13af165868d6"
},
{
"type": "PACKAGE",
"url": "https://github.com/brycebaril/node-flatnest"
},
{
"type": "WEB",
"url": "https://github.com/brycebaril/node-flatnest/blob/b7d97ec64a04632378db87fcf3577bd51ac3ee39/nest.js#L43"
},
{
"type": "WEB",
"url": "https://github.com/brycebaril/node-flatnest/blob/b7d97ec64a04632378db87fcf3577bd51ac3ee39/nest.js%23L43"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-FLATNEST-3185149"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "flatnest Prototype Pollution vulnerability"
}
GHSA-7QGG-VW88-CC99
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-09-03 15:22The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.
PoC
async function exploit() {
const utilsextend = require(\"utils-extend\");
const payload = JSON.parse('{\"__proto__\":{\"exploited\":true}}');
const result = await utilsextend.extend({}, payload);
}
await exploit();
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "utils-extend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57077"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-06T23:31:52Z",
"nvd_published_at": "2025-02-05T22:15:31Z",
"severity": "CRITICAL"
},
"details": "The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.\n\n## PoC\n```js\nasync function exploit() {\n const utilsextend = require(\\\"utils-extend\\\");\n const payload = JSON.parse(\u0027{\\\"__proto__\\\":{\\\"exploited\\\":true}}\u0027);\n const result = await utilsextend.extend({}, payload);\n}\n\nawait exploit();\n```",
"id": "GHSA-7qgg-vw88-cc99",
"modified": "2025-09-03T15:22:41Z",
"published": "2025-02-06T06:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57077"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/64bac50f8c2706e6880e45d50a507114"
},
{
"type": "PACKAGE",
"url": "https://github.com/douzi8/utils-extend"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "utils-extend Prototype Pollution"
}
GHSA-7QM6-9V49-38M9
Vulnerability from github – Published: 2021-12-10 18:55 – Updated: 2023-09-11 18:40All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
PoC
const deepAssign = require('record-like-deep-assign');
let obj = {};
console.log("Before being polluted: " + obj.polluted);
EVIL_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
deepAssign({}, EVIL_JSON);
console.log("After being polluted: " + obj.polluted);
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "record-like-deep-assign"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23402"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-06T14:32:33Z",
"nvd_published_at": "2021-07-02T16:15:00Z",
"severity": "HIGH"
},
"details": "All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.\n\n### PoC\n```js\nconst deepAssign = require(\u0027record-like-deep-assign\u0027);\nlet obj = {};\nconsole.log(\"Before being polluted: \" + obj.polluted);\nEVIL_JSON = JSON.parse(\u0027{\"__proto__\":{\"polluted\":true}}\u0027);\ndeepAssign({}, EVIL_JSON);\nconsole.log(\"After being polluted: \" + obj.polluted);\n```",
"id": "GHSA-7qm6-9v49-38m9",
"modified": "2023-09-11T18:40:49Z",
"published": "2021-12-10T18:55:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23402"
},
{
"type": "PACKAGE",
"url": "https://github.com/kripod/record-like-deep-assign"
},
{
"type": "WEB",
"url": "https://github.com/kripod/record-like-deep-assign/blob/v1.0.1/src/mod.ts%23L17-L35"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-RECORDLIKEDEEPASSIGN-1311024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in record-like-deep-assign"
}
GHSA-7QQQ-GH2F-WQ76
Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-15 20:13The package ts-deepmerge before version 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the merge function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ts-deepmerge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25907"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-11T18:13:21Z",
"nvd_published_at": "2022-08-09T05:15:00Z",
"severity": "CRITICAL"
},
"details": "The package ts-deepmerge before version 2.0.2 is vulnerable to Prototype Pollution due to missing sanitization of the `merge` function.",
"id": "GHSA-7qqq-gh2f-wq76",
"modified": "2022-08-15T20:13:34Z",
"published": "2022-08-10T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25907"
},
{
"type": "WEB",
"url": "https://github.com/voodoocreation/ts-deepmerge/commit/9be5148773343c57be9de39728d6ead18eddf10b"
},
{
"type": "PACKAGE",
"url": "https://github.com/voodoocreation/ts-deepmerge"
},
{
"type": "WEB",
"url": "https://github.com/voodoocreation/ts-deepmerge/releases/tag/2.0.2"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-2959975"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ts-deepmerge before 2.0.2 vulnerable to Prototype Pollution"
}
GHSA-7RX3-28CR-V5WH
Vulnerability from github – Published: 2026-03-29 15:17 – Updated: 2026-03-29 15:17Summary
The prototype method blocklist in lib/handlebars/internal/proto-access.js blocks constructor, __defineGetter__, __defineSetter__, and __lookupGetter__, but omits the symmetric __lookupSetter__. This omission is only exploitable when the non-default runtime option allowProtoMethodsByDefault: true is explicitly set — in that configuration __lookupSetter__ becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.
4.6.0 is the version that introduced protoAccessControl and the allowProtoMethodsByDefault runtime option.
Description
In lib/handlebars/internal/proto-access.js:
const methodWhiteList = Object.create(null);
methodWhiteList['constructor'] = false;
methodWhiteList['__defineGetter__'] = false;
methodWhiteList['__defineSetter__'] = false;
methodWhiteList['__lookupGetter__'] = false;
// __lookupSetter__ intentionally blocked in CVE-2021-23383,
// but omitted here — creating an asymmetric blocklist
All four legacy accessor helpers (__defineGetter__, __defineSetter__, __lookupGetter__, __lookupSetter__) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; __lookupSetter__ was left out.
When allowProtoMethodsByDefault: true is set, any prototype method not present in methodWhiteList is permitted by default. Because __lookupSetter__ is absent from the list, it passes the checkWhiteList check and is accessible in templates, while __lookupGetter__ (its sibling) is correctly denied.
Workarounds
- Do not set
allowProtoMethodsByDefault: true. The default configuration is not affected. - If
allowProtoMethodsByDefaultmust be enabled, ensure templates do not reference__lookupSetter__through untrusted input.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.7.8"
},
"package": {
"ecosystem": "npm",
"name": "handlebars"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.0"
},
{
"fixed": "4.7.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:17:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric `__lookupSetter__`. This omission is only exploitable when the non-default runtime option `allowProtoMethodsByDefault: true` is explicitly set \u2014 in that configuration `__lookupSetter__` becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.\n\n`4.6.0` is the version that introduced `protoAccessControl` and the `allowProtoMethodsByDefault` runtime option.\n\n## Description\n\nIn `lib/handlebars/internal/proto-access.js`:\n\n```javascript\nconst methodWhiteList = Object.create(null);\nmethodWhiteList[\u0027constructor\u0027] = false;\nmethodWhiteList[\u0027__defineGetter__\u0027] = false;\nmethodWhiteList[\u0027__defineSetter__\u0027] = false;\nmethodWhiteList[\u0027__lookupGetter__\u0027] = false;\n// __lookupSetter__ intentionally blocked in CVE-2021-23383,\n// but omitted here \u2014 creating an asymmetric blocklist\n```\n\nAll four legacy accessor helpers (`__defineGetter__`, `__defineSetter__`, `__lookupGetter__`, `__lookupSetter__`) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; `__lookupSetter__` was left out.\n\nWhen `allowProtoMethodsByDefault: true` is set, any prototype method **not present** in `methodWhiteList` is permitted by default. Because `__lookupSetter__` is absent from the list, it passes the `checkWhiteList` check and is accessible in templates, while `__lookupGetter__` (its sibling) is correctly denied.\n\n## Workarounds\n\n- Do **not** set `allowProtoMethodsByDefault: true`. The default configuration is not affected.\n- If `allowProtoMethodsByDefault` must be enabled, ensure templates do not reference `__lookupSetter__` through untrusted input.",
"id": "GHSA-7rx3-28cr-v5wh",
"modified": "2026-03-29T15:17:15Z",
"published": "2026-03-29T15:17:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-765h-qjxv-5f44"
},
{
"type": "PACKAGE",
"url": "https://github.com/handlebars-lang/handlebars.js"
},
{
"type": "WEB",
"url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry"
}
GHSA-7VRV-5M2H-RJW9
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-08-06 09:36This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ion-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28462"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-06T09:36:29Z",
"nvd_published_at": "2022-07-25T14:15:00Z",
"severity": "CRITICAL"
},
"details": "This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with `parse` , they will pollute the prototype on the application. This can be exploited further depending on the context.",
"id": "GHSA-7vrv-5m2h-rjw9",
"modified": "2022-08-06T09:36:29Z",
"published": "2022-07-26T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28462"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-IONPARSER-1048971"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.