CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
782 vulnerabilities reference this CWE, most recent first.
GHSA-92V9-XH2Q-FQ9F
Vulnerability from github – Published: 2021-09-20 20:12 – Updated: 2022-12-03 04:00The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the proto object.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@cookiex/deep"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23442"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-20T19:26:16Z",
"nvd_published_at": "2021-09-17T10:15:00Z",
"severity": "HIGH"
},
"details": "The npm @cookiex/deep package before version 0.0.7 has a prototype pollution vulnerability. The global proto object can be polluted using the __proto__ object.",
"id": "GHSA-92v9-xh2q-fq9f",
"modified": "2022-12-03T04:00:48Z",
"published": "2021-09-20T20:12:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23442"
},
{
"type": "WEB",
"url": "https://github.com/tony-tsx/cookiex-deep/issues/1"
},
{
"type": "WEB",
"url": "https://github.com/tony-tsx/cookiex-deep/commit/b5bea2b7f34a5fa9abb4446cbd038ecdbcd09c88"
},
{
"type": "PACKAGE",
"url": "https://github.com/tony-tsx/cookiex-deep"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-COOKIEXDEEP-1582793"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in cookiex/deep"
}
GHSA-92XJ-MQP7-VMCJ
Vulnerability from github – Published: 2020-09-14 21:42 – Updated: 2022-12-03 04:06The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7720"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-14T21:41:51Z",
"nvd_published_at": "2020-09-01T10:15:00Z",
"severity": "HIGH"
},
"details": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.",
"id": "GHSA-92xj-mqp7-vmcj",
"modified": "2022-12-03T04:06:21Z",
"published": "2020-09-14T21:42:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md#removed"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in node-forge"
}
GHSA-9354-P3XR-GQW5
Vulnerability from github – Published: 2024-07-24 15:31 – Updated: 2024-07-24 15:31A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.
{
"affected": [],
"aliases": [
"CVE-2024-22443"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-24T15:15:11Z",
"severity": "HIGH"
},
"details": "A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.",
"id": "GHSA-9354-p3xr-gqw5",
"modified": "2024-07-24T15:31:28Z",
"published": "2024-07-24T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22443"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04672en_us\u0026docLocale=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-93Q5-3XPC-8VG3
Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-21 21:08Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal via the requestedVersion variable in the npm-convert.js file.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "steal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37257"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-21T21:08:13Z",
"nvd_published_at": "2022-09-15T13:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal via the requestedVersion variable in the npm-convert.js file.",
"id": "GHSA-93q5-3xpc-8vg3",
"modified": "2022-09-21T21:08:13Z",
"published": "2022-09-16T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37257"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/issues/1526"
},
{
"type": "PACKAGE",
"url": "https://github.com/stealjs/steal"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L362"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L371"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "steal vulnerable to Prototype Pollution via requestedVersion variable"
}
GHSA-93VW-8FM5-P2JF
Vulnerability from github – Published: 2022-11-10 13:02 – Updated: 2023-08-21 18:17Impact
A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.
Patches
Improved keyword detection.
Workarounds
None.
Collaborators
Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.10.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41879"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-10T13:02:35Z",
"nvd_published_at": "2022-11-10T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option.\n\n### Patches\n\nImproved keyword detection.\n\n### Workarounds\n\nNone.\n\n### Collaborators\n\nMikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative\n\n### References\n\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf",
"id": "GHSA-93vw-8fm5-p2jf",
"modified": "2023-08-21T18:17:08Z",
"published": "2022-11-10T13:02:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41879"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/8305"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/8306"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/60c5a73d257e0d536056b38bdafef8b7130524d8"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/6c63f04ba37174021082a5b5c4ba1556dcc954f4"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/4.10.20"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/5.3.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks"
}
GHSA-9534-H433-2RJF
Vulnerability from github – Published: 2021-05-07 16:28 – Updated: 2021-07-28 18:40utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "utilitify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10808"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-03T18:04:07Z",
"nvd_published_at": "2020-03-11T23:15:00Z",
"severity": "HIGH"
},
"details": "utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.",
"id": "GHSA-9534-h433-2rjf",
"modified": "2021-07-28T18:40:29Z",
"published": "2021-05-07T16:28:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10808"
},
{
"type": "WEB",
"url": "https://github.com/xcritical-software/utilitify/commit/88d6e27009823338bf319ffb768fe6b08e8ad2d1,"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-UTILITIFY-559497"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in utilitify"
}
GHSA-957J-59C2-J692
Vulnerability from github – Published: 2021-10-12 16:26 – Updated: 2023-09-07 18:57Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "getobject"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28282"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-08T22:07:57Z",
"nvd_published_at": "2020-12-29T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution vulnerability in \u0027getobject\u0027 version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.",
"id": "GHSA-957j-59c2-j692",
"modified": "2023-09-07T18:57:59Z",
"published": "2021-10-12T16:26:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28282"
},
{
"type": "PACKAGE",
"url": "https://github.com/cowboy/node-getobject"
},
{
"type": "WEB",
"url": "https://github.com/cowboy/node-getobject/blob/aba04a8e1d6180eb39eff09990c3a43886ba8937/lib/getobject.js#L48"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28282"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype pollution in getobject"
}
GHSA-95FF-46G6-6GW9
Vulnerability from github – Published: 2026-01-28 21:41 – Updated: 2026-01-28 21:41Summary
An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart.
While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.
Details
The deepMerge() function in packages/nocodb/src/utils/dataUtils.ts does not sanitize the following keys: (__proto__, constructor, prototype):
export const deepMerge = (target: any, ...sources: any[]) => {
// ...
Object.keys(source).forEach((key) => {
if (isMergeableObject(source[key])) {
if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};
deepMerge(target[key], source[key]); // Recursively merges __proto__
} else {
target[key] = source[key];
}
});
// ...
};
The testConnection endpoint (packages/nocodb/src/controllers/utils.controller.ts) passes user-controlled input directly to deepMerge():
config = await integration.getConfig();
deepMerge(config, body);
When an attacker sends {"__proto__": {"super": true}}, the super property is written to Object.prototype, affecting all plain objects in the Node.js process.
Impact
Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.301.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24766"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-28T21:41:26Z",
"nvd_published_at": "2026-01-28T21:16:12Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAn authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart.\n\nWhile the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.\n\n### Details\n\nThe `deepMerge()` function in `packages/nocodb/src/utils/dataUtils.ts` does not sanitize the following keys: (`__proto__`, `constructor`, `prototype`):\n\n```typescript\nexport const deepMerge = (target: any, ...sources: any[]) =\u003e {\n // ...\n Object.keys(source).forEach((key) =\u003e {\n if (isMergeableObject(source[key])) {\n if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};\n deepMerge(target[key], source[key]); // Recursively merges __proto__\n } else {\n target[key] = source[key];\n }\n });\n // ...\n};\n```\n\nThe `testConnection` endpoint (`packages/nocodb/src/controllers/utils.controller.ts`) passes user-controlled input directly to `deepMerge()`:\n\n```typescript\nconfig = await integration.getConfig();\ndeepMerge(config, body);\n```\n\nWhen an attacker sends `{\"__proto__\": {\"super\": true}}`, the `super` property is written to `Object.prototype`, affecting all plain objects in the Node.js process.\n\n## Impact\n\nPollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.",
"id": "GHSA-95ff-46g6-6gw9",
"modified": "2026-01-28T21:41:26Z",
"published": "2026-01-28T21:41:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24766"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/0.301.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS"
}
GHSA-95JQ-XPH2-CX9H
Vulnerability from github – Published: 2025-07-26 00:30 – Updated: 2026-06-26 20:26Prototype Pollution in internal assign() helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "linkifyjs"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.1"
},
{
"fixed": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.3.1"
]
}
],
"aliases": [
"CVE-2025-8101"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-29T19:09:33Z",
"nvd_published_at": "2025-07-25T22:15:25Z",
"severity": "HIGH"
},
"details": "Prototype Pollution in internal `assign()` helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.",
"id": "GHSA-95jq-xph2-cx9h",
"modified": "2026-06-26T20:26:11Z",
"published": "2025-07-26T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8101"
},
{
"type": "WEB",
"url": "https://github.com/nfrasser/linkifyjs/commit/931d3e28b68951b8f898ea4d6504696346b485b0"
},
{
"type": "WEB",
"url": "https://caverav.cl/posts/linkify-xss/linkify-xss"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/charly"
},
{
"type": "PACKAGE",
"url": "https://github.com/nfrasser/linkifyjs"
},
{
"type": "WEB",
"url": "https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/linkifyjs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Linkify Allows Prototype Pollution \u0026 HTML Attribute Injection (XSS)"
}
GHSA-97JV-C342-5XHC
Vulnerability from github – Published: 2022-12-19 15:30 – Updated: 2022-12-29 23:37A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "whois"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36618"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-74",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-19T18:24:03Z",
"nvd_published_at": "2022-12-19T14:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file `index.coffee`. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). It is possible to launch the attack remotely. The name of the patch is 46ccc2aee8d063c7b6b4dee2c2834113b7286076. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216252.",
"id": "GHSA-97jv-c342-5xhc",
"modified": "2022-12-29T23:37:10Z",
"published": "2022-12-19T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36618"
},
{
"type": "WEB",
"url": "https://github.com/FurqanSoftware/node-whois/pull/105"
},
{
"type": "WEB",
"url": "https://github.com/FurqanSoftware/node-whois/commit/46ccc2aee8d063c7b6b4dee2c2834113b7286076"
},
{
"type": "PACKAGE",
"url": "https://github.com/FurqanSoftware/node-whois"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216252"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20220403104013/https://www.npmjs.com/package/whois"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "FurqanSoftware/node-whois vulnerable to Prototype Pollution"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.