CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
782 vulnerabilities reference this CWE, most recent first.
GHSA-8PPR-WWW8-HFJX
Vulnerability from github – Published: 2024-03-25 15:30 – Updated: 2024-08-02 15:59An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@thi.ng/paths"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.63"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29650"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-25T19:34:46Z",
"nvd_published_at": "2024-03-25T15:15:52Z",
"severity": "CRITICAL"
},
"details": "An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the `mutIn` and `mutInManyUnsafe` components.",
"id": "GHSA-8ppr-www8-hfjx",
"modified": "2024-08-02T15:59:13Z",
"published": "2024-03-25T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29650"
},
{
"type": "WEB",
"url": "https://github.com/thi-ng/umbrella/issues/445"
},
{
"type": "WEB",
"url": "https://github.com/thi-ng/umbrella/commit/c78b484882ad5214a46ef83ddb8020571c171353"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/1bc340ca5ea6ae115c9ab9665cfd5921"
},
{
"type": "PACKAGE",
"url": "https://github.com/thi-ng/umbrella"
},
{
"type": "WEB",
"url": "https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@thi.ng/paths Prototype Pollution vulnerability"
}
GHSA-8QM3-746X-R74R
Vulnerability from github – Published: 2026-02-19 20:29 – Updated: 2026-02-19 20:29Under certain circumstances, unevaling untrusted data can produce output code that will create objects with polluted prototypes when later evaled, meaning the output data can be a different shape from the input data.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.6.2"
},
"package": {
"ecosystem": "npm",
"name": "devalue"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-19T20:29:17Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Under certain circumstances, `uneval`ing untrusted data can produce output code that will create objects with polluted prototypes when later `eval`ed, meaning the output data can be a different shape from the input data.",
"id": "GHSA-8qm3-746x-r74r",
"modified": "2026-02-19T20:29:17Z",
"published": "2026-02-19T20:29:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-8qm3-746x-r74r"
},
{
"type": "WEB",
"url": "https://github.com/sveltejs/devalue/commit/0f04d4d678eac39ad5d7a07d1956275d7874e81c"
},
{
"type": "PACKAGE",
"url": "https://github.com/sveltejs/devalue"
},
{
"type": "WEB",
"url": "https://github.com/sveltejs/devalue/releases/tag/v5.6.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed"
}
GHSA-8QPM-5C82-RF96
Vulnerability from github – Published: 2021-05-06 15:52 – Updated: 2023-08-08 19:54Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "backbone-query-parameters"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-20085"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-26T19:07:16Z",
"nvd_published_at": "2021-04-23T19:15:00Z",
"severity": "HIGH"
},
"details": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.",
"id": "GHSA-8qpm-5c82-rf96",
"modified": "2023-08-08T19:54:27Z",
"published": "2021-05-06T15:52:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20085"
},
{
"type": "WEB",
"url": "https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/backbone-qp.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in backbone-query-parameters"
}
GHSA-8V3J-JFG3-V3FV
Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-09-06 19:45Sails.js <= 1.5.2 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). A patch is available in the master branch of Sails.js's GItHub repository.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sails"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-44908"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-18T23:04:49Z",
"nvd_published_at": "2022-03-17T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Sails.js \u003c= 1.5.2 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules(). A [patch](https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358) is available in the `master` branch of Sails.js\u0027s GItHub repository.",
"id": "GHSA-8v3j-jfg3-v3fv",
"modified": "2022-09-06T19:45:27Z",
"published": "2022-03-18T00:01:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44908"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/issues/7209"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/commit/7c5379a656bb305c958df1dcc2b51a9668830358"
},
{
"type": "WEB",
"url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/sailsJS%20PoC.zip"
},
{
"type": "PACKAGE",
"url": "https://github.com/balderdashy/sails"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/blob/master/lib/app/private/controller/load-action-modules.js#L32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in Sails.js"
}
GHSA-8V63-CQQC-6R2C
Vulnerability from github – Published: 2021-09-20 20:46 – Updated: 2022-08-11 21:52object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "object-path"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3805"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-20T20:13:12Z",
"nvd_published_at": "2021-09-17T06:15:00Z",
"severity": "HIGH"
},
"details": "object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027). The `del()` function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like `toString` on all objects.",
"id": "GHSA-8v63-cqqc-6r2c",
"modified": "2022-08-11T21:52:14Z",
"published": "2021-09-20T20:46:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3805"
},
{
"type": "WEB",
"url": "https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884"
},
{
"type": "PACKAGE",
"url": "https://github.com/mariocasciaro/object-path"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00031.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in object-path"
}
GHSA-8V65-5FW5-23WJ
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-25 17:48The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package's resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-cube"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.0.0-beta.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57348"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-25T17:48:20Z",
"nvd_published_at": "2025-09-24T19:15:40Z",
"severity": "LOW"
},
"details": "The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper validation of user-supplied input in the package\u0027s resource initialization process. Successful exploitation may lead to denial of service or arbitrary code execution in affected environments. The vulnerability affects versions up to and including 5.0.0-beta.19, and no official fix has been released to date.",
"id": "GHSA-8v65-5fw5-23wj",
"modified": "2025-09-25T17:48:20Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57348"
},
{
"type": "WEB",
"url": "https://github.com/node-cube/cube/issues/153"
},
{
"type": "WEB",
"url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57348"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-cube/cube"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "node-cube vulnerable to prototype pollution"
}
GHSA-8V9X-9XQG-R8MR
Vulnerability from github – Published: 2021-05-10 19:17 – Updated: 2021-04-19 22:31Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json8-merge-patch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8268"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20",
"CWE-471"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-19T22:31:31Z",
"nvd_published_at": "2020-11-09T15:15:00Z",
"severity": "HIGH"
},
"details": "Prototype pollution vulnerability in json8-merge-patch npm package \u003c 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.",
"id": "GHSA-8v9x-9xqg-r8mr",
"modified": "2021-04-19T22:31:31Z",
"published": "2021-05-10T19:17:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8268"
},
{
"type": "WEB",
"url": "https://github.com/sonnyp/JSON8/issues/113"
},
{
"type": "WEB",
"url": "https://github.com/sonnyp/JSON8/commit/2e890261b66cbc54ae01d0c79c71b0fd18379e7e#diff-faa7bef039022bc7ca1c613331b2373950ddd3d65ebf25d1699fbdf89773a387"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/980649"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/json8-merge-patch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in json8-merge-patch"
}
GHSA-8VR4-H4RR-8PH6
Vulnerability from github – Published: 2024-05-20 18:31 – Updated: 2024-08-20 18:03A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@bit/loader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-24293"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-20T20:56:14Z",
"nvd_published_at": "2024-05-20T18:15:10Z",
"severity": "HIGH"
},
"details": "A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js.",
"id": "GHSA-8vr4-h4rr-8ph6",
"modified": "2024-08-20T18:03:43Z",
"published": "2024-05-20T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24293"
},
{
"type": "WEB",
"url": "https://gist.github.com/tariqhawis/986fb1c9da6be526fb2656ba8d194b7f"
},
{
"type": "PACKAGE",
"url": "https://github.com/MiguelCastillo/bit-loader"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MiguelCastillo @bit/loader Prototype Pollution issue"
}
GHSA-8VV3-JXM8-F4VF
Vulnerability from github – Published: 2021-05-06 17:29 – Updated: 2021-05-05 21:19The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "connie-lang"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7706"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T21:19:56Z",
"nvd_published_at": "2020-08-18T10:15:00Z",
"severity": "CRITICAL"
},
"details": "The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.",
"id": "GHSA-8vv3-jxm8-f4vf",
"modified": "2021-05-05T21:19:56Z",
"published": "2021-05-06T17:29:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7706"
},
{
"type": "WEB",
"url": "https://github.com/mattinsler/connie-lang/commit/ef376d404c712dd28309ba07f28a8f87f24a015a"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-CONNIELANG-598853"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in connie-lang"
}
GHSA-8XXM-H73R-GHFJ
Vulnerability from github – Published: 2022-02-07 22:37 – Updated: 2023-07-13 19:05日本語
影響
v0.26.0以前のfrourioを使用している、かつvalidators/を利用している場合、ネストされたバリデータがリクエストのボディーとクエリに対して正しく働かないケースがあります。また、リクエストに対してバリデーションが効かなくなる入力があります。
パッチ
frourioをv0.26.0かそれ以降のバージョンにアップデートをお願いします。frourio を使用したプロジェクトには class-transformer と reflect-metadata の依存への追加も必要となります。
ワークアラウンド
controller側で自分でclass-transformerを使用してチェックする、vaildatorを使わない、など。
さらなる情報
このセキュリティ勧告に関する質問やコメントについては、以下の方法でお問い合わせいただけます。 * frourioにIssueを開く。
English
Impact
Frourio users who uses frourio version prior to v0.26.0 and integration with class-validator through validators/ folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)
Patches
Please update your frourio to v0.26.0 or later. You also need to install class-transformer and reflect-metadata to your project.
Workarounds
Validate objects from request with class-transformer in controllers by yourself, or prevent using validators.
For more information
If you have any questions or comments about this advisory: * Open an issue in frourio
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "frourio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23623"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-07T22:37:45Z",
"nvd_published_at": "2022-02-07T23:15:00Z",
"severity": "HIGH"
},
"details": "## \u65e5\u672c\u8a9e\n\n### \u5f71\u97ff\nv0.26.0\u4ee5\u524d\u306efrourio\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3001\u304b\u3064validators/\u3092\u5229\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u30cd\u30b9\u30c8\u3055\u308c\u305f\u30d0\u30ea\u30c7\u30fc\u30bf\u304c\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30dc\u30c7\u30a3\u30fc\u3068\u30af\u30a8\u30ea\u306b\u5bfe\u3057\u3066\u6b63\u3057\u304f\u50cd\u304b\u306a\u3044\u30b1\u30fc\u30b9\u304c\u3042\u308a\u307e\u3059\u3002\u307e\u305f\u3001\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5bfe\u3057\u3066\u30d0\u30ea\u30c7\u30fc\u30b7\u30e7\u30f3\u304c\u52b9\u304b\u306a\u304f\u306a\u308b\u5165\u529b\u304c\u3042\u308a\u307e\u3059\u3002\n\n### \u30d1\u30c3\u30c1\nfrourio\u3092v0.26.0\u304b\u305d\u308c\u4ee5\u964d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3092\u304a\u9858\u3044\u3057\u307e\u3059\u3002frourio \u3092\u4f7f\u7528\u3057\u305f\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u306b\u306f `class-transformer` \u3068 `reflect-metadata` \u306e\u4f9d\u5b58\u3078\u306e\u8ffd\u52a0\u3082\u5fc5\u8981\u3068\u306a\u308a\u307e\u3059\u3002\n\n### \u30ef\u30fc\u30af\u30a2\u30e9\u30a6\u30f3\u30c9\ncontroller\u5074\u3067\u81ea\u5206\u3067class-transformer\u3092\u4f7f\u7528\u3057\u3066\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3001vaildator\u3092\u4f7f\u308f\u306a\u3044\u3001\u306a\u3069\u3002\n\n### \u3055\u3089\u306a\u308b\u60c5\u5831\n\n\u3053\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u52e7\u544a\u306b\u95a2\u3059\u308b\u8cea\u554f\u3084\u30b3\u30e1\u30f3\u30c8\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u4e0b\u306e\u65b9\u6cd5\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u3044\u305f\u3060\u3051\u307e\u3059\u3002\n* [frourio](https://github.com/frouriojs/frourio)\u306bIssue\u3092\u958b\u304f\u3002\n\n## English\n\n### Impact\nFrourio users who uses frourio version prior to v0.26.0 and integration with class-validator through `validators/` folder. Validators does not work properly for request bodies and queries in specific situations. Addtionally, some kind of input is not validated. (false positives)\n\n### Patches\nPlease update your frourio to v0.26.0 or later. You also need to install `class-transformer` and `reflect-metadata` to your project.\n\n### Workarounds\nValidate objects from request with class-transformer in controllers by yourself, or prevent using validators.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [frourio](https://github.com/frouriojs/frourio)\n",
"id": "GHSA-8xxm-h73r-ghfj",
"modified": "2023-07-13T19:05:16Z",
"published": "2022-02-07T22:37:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/frouriojs/frourio/security/advisories/GHSA-8xxm-h73r-ghfj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23623"
},
{
"type": "WEB",
"url": "https://github.com/frouriojs/frourio/commit/7c19ac5363305b81b1c6b5232620228763d427af"
},
{
"type": "PACKAGE",
"url": "https://github.com/frouriojs/frourio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Validation bypass in frourio"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.