Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

782 vulnerabilities reference this CWE, most recent first.

GHSA-92V9-XH2Q-FQ9F

Vulnerability from github – Published: 2021-09-20 20:12 – Updated: 2022-12-03 04:00
VLAI
Summary
Prototype Pollution in cookiex/deep
Details

The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the proto object.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cookiex/deep"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-20T19:26:16Z",
    "nvd_published_at": "2021-09-17T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the __proto__ object.",
  "id": "GHSA-92v9-xh2q-fq9f",
  "modified": "2022-12-03T04:00:48Z",
  "published": "2021-09-20T20:12:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23442"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tony-tsx/cookiex-deep/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tony-tsx/cookiex-deep/commit/b5bea2b7f34a5fa9abb4446cbd038ecdbcd09c88"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tony-tsx/cookiex-deep"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-COOKIEXDEEP-1582793"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in cookiex/deep"
}

GHSA-92XJ-MQP7-VMCJ

Vulnerability from github – Published: 2020-09-14 21:42 – Updated: 2022-12-03 04:06
VLAI
Summary
Prototype Pollution in node-forge
Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-forge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-14T21:41:51Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.",
  "id": "GHSA-92xj-mqp7-vmcj",
  "modified": "2022-12-03T04:06:21Z",
  "published": "2020-09-14T21:42:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/digitalbazaar/forge"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md#removed"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in node-forge"
}

GHSA-9354-P3XR-GQW5

Vulnerability from github – Published: 2024-07-24 15:31 – Updated: 2024-07-24 15:31
VLAI
Details

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-24T15:15:11Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.",
  "id": "GHSA-9354-p3xr-gqw5",
  "modified": "2024-07-24T15:31:28Z",
  "published": "2024-07-24T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22443"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04672en_us\u0026docLocale=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-93Q5-3XPC-8VG3

Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-21 21:08
VLAI
Summary
steal vulnerable to Prototype Pollution via requestedVersion variable
Details

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal via the requestedVersion variable in the npm-convert.js file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "steal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-21T21:08:13Z",
    "nvd_published_at": "2022-09-15T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal via the requestedVersion variable in the npm-convert.js file.",
  "id": "GHSA-93q5-3xpc-8vg3",
  "modified": "2022-09-21T21:08:13Z",
  "published": "2022-09-16T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37257"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/issues/1526"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stealjs/steal"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L362"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "steal vulnerable to Prototype Pollution via requestedVersion variable"
}

GHSA-93VW-8FM5-P2JF

Vulnerability from github – Published: 2022-11-10 13:02 – Updated: 2023-08-21 18:17
VLAI
Summary
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
Details

Impact

A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Patches

Improved keyword detection.

Workarounds

None.

Collaborators

Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-10T13:02:35Z",
    "nvd_published_at": "2022-11-10T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option.\n\n### Patches\n\nImproved keyword detection.\n\n### Workarounds\n\nNone.\n\n### Collaborators\n\nMikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf",
  "id": "GHSA-93vw-8fm5-p2jf",
  "modified": "2023-08-21T18:17:08Z",
  "published": "2022-11-10T13:02:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/8305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/8306"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/4.10.20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/5.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks"
}

GHSA-9534-H433-2RJF

Vulnerability from github – Published: 2021-05-07 16:28 – Updated: 2021-07-28 18:40
VLAI
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes in utilitify
Details

utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "utilitify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-03T18:04:07Z",
    "nvd_published_at": "2020-03-11T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.",
  "id": "GHSA-9534-h433-2rjf",
  "modified": "2021-07-28T18:40:29Z",
  "published": "2021-05-07T16:28:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10808"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xcritical-software/utilitify/commit/88d6e27009823338bf319ffb768fe6b08e8ad2d1,"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-UTILITIFY-559497"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in utilitify"
}

GHSA-957J-59C2-J692

Vulnerability from github – Published: 2021-10-12 16:26 – Updated: 2023-09-07 18:57
VLAI
Summary
Prototype pollution in getobject
Details

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "getobject"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-08T22:07:57Z",
    "nvd_published_at": "2020-12-29T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027getobject\u0027 version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-957j-59c2-j692",
  "modified": "2023-09-07T18:57:59Z",
  "published": "2021-10-12T16:26:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cowboy/node-getobject"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in getobject"
}

GHSA-95FF-46G6-6GW9

Vulnerability from github – Published: 2026-01-28 21:41 – Updated: 2026-01-28 21:41
VLAI
Summary
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS
Details

Summary

An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart.

While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.

Details

The deepMerge() function in packages/nocodb/src/utils/dataUtils.ts does not sanitize the following keys: (__proto__, constructor, prototype):

export const deepMerge = (target: any, ...sources: any[]) => {
  // ...
  Object.keys(source).forEach((key) => {
    if (isMergeableObject(source[key])) {
      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};
      deepMerge(target[key], source[key]);  // Recursively merges __proto__
    } else {
      target[key] = source[key];
    }
  });
  // ...
};

The testConnection endpoint (packages/nocodb/src/controllers/utils.controller.ts) passes user-controlled input directly to deepMerge():

config = await integration.getConfig();
deepMerge(config, body);

When an attacker sends {"__proto__": {"super": true}}, the super property is written to Object.prototype, affecting all plain objects in the Node.js process.

Impact

Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.301.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-28T21:41:26Z",
    "nvd_published_at": "2026-01-28T21:16:12Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAn authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart.\n\nWhile the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.\n\n### Details\n\nThe `deepMerge()` function in `packages/nocodb/src/utils/dataUtils.ts` does not sanitize the following keys: (`__proto__`, `constructor`, `prototype`):\n\n```typescript\nexport const deepMerge = (target: any, ...sources: any[]) =\u003e {\n  // ...\n  Object.keys(source).forEach((key) =\u003e {\n    if (isMergeableObject(source[key])) {\n      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};\n      deepMerge(target[key], source[key]);  // Recursively merges __proto__\n    } else {\n      target[key] = source[key];\n    }\n  });\n  // ...\n};\n```\n\nThe `testConnection` endpoint (`packages/nocodb/src/controllers/utils.controller.ts`) passes user-controlled input directly to `deepMerge()`:\n\n```typescript\nconfig = await integration.getConfig();\ndeepMerge(config, body);\n```\n\nWhen an attacker sends `{\"__proto__\": {\"super\": true}}`, the `super` property is written to `Object.prototype`, affecting all plain objects in the Node.js process.\n\n## Impact\n\nPollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.",
  "id": "GHSA-95ff-46g6-6gw9",
  "modified": "2026-01-28T21:41:26Z",
  "published": "2026-01-28T21:41:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24766"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS"
}

GHSA-95JQ-XPH2-CX9H

Vulnerability from github – Published: 2025-07-26 00:30 – Updated: 2026-06-26 20:26
VLAI
Summary
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
Details

Prototype Pollution in internal assign() helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "linkifyjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.1"
            },
            {
              "fixed": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.3.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-8101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-29T19:09:33Z",
    "nvd_published_at": "2025-07-25T22:15:25Z",
    "severity": "HIGH"
  },
  "details": "Prototype Pollution in internal `assign()` helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.",
  "id": "GHSA-95jq-xph2-cx9h",
  "modified": "2026-06-26T20:26:11Z",
  "published": "2025-07-26T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nfrasser/linkifyjs/commit/931d3e28b68951b8f898ea4d6504696346b485b0"
    },
    {
      "type": "WEB",
      "url": "https://caverav.cl/posts/linkify-xss/linkify-xss"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/charly"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nfrasser/linkifyjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/linkifyjs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Linkify Allows Prototype Pollution \u0026 HTML Attribute Injection (XSS)"
}

GHSA-97JV-C342-5XHC

Vulnerability from github – Published: 2022-12-19 15:30 – Updated: 2022-12-29 23:37
VLAI
Summary
FurqanSoftware/node-whois vulnerable to Prototype Pollution
Details

A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "whois"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-74",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T18:24:03Z",
    "nvd_published_at": "2022-12-19T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file `index.coffee`. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252.",
  "id": "GHSA-97jv-c342-5xhc",
  "modified": "2022-12-29T23:37:10Z",
  "published": "2022-12-19T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FurqanSoftware/node-whois/pull/105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FurqanSoftware/node-whois/commit/46ccc2aee8d063c7b6b4dee2c2834113b7286076"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FurqanSoftware/node-whois"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.216252"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20220403104013/https://www.npmjs.com/package/whois"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FurqanSoftware/node-whois vulnerable to Prototype Pollution"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.