Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

780 vulnerabilities reference this CWE, most recent first.

GHSA-M639-9WHG-FW97

Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-02-28 22:17
VLAI
Summary
Prototype Pollution in object-extend
Details

The package object-extend from 0.0.0 through 0.5.0 is vulnerable to Prototype Pollution via object-extend.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "object-extend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-22T20:51:50Z",
    "nvd_published_at": "2022-02-18T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package object-extend from 0.0.0 through 0.5.0 is vulnerable to Prototype Pollution via object-extend.",
  "id": "GHSA-m639-9whg-fw97",
  "modified": "2022-02-28T22:17:42Z",
  "published": "2022-02-19T00:01:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23702"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bernhardw/object-extend"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-OBJECTEXTEND-2401470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in object-extend"
}

GHSA-M6MG-JVJF-W44X

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-08-04 21:25
VLAI
Summary
conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2
Details

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "conf-cfg-ini"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-04T21:25:33Z",
    "nvd_published_at": "2022-07-25T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.",
  "id": "GHSA-m6mg-jvjf-w44x",
  "modified": "2022-08-04T21:25:33Z",
  "published": "2022-07-26T00:01:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28441"
    },
    {
      "type": "WEB",
      "url": "https://github.com/loge5/conf-cfg-ini/commit/3a88a6c52c31eb6c0f033369eed40aa168a636ea"
    },
    {
      "type": "WEB",
      "url": "https://github.com/loge5/conf-cfg-ini/commit/ecd878f8f7398e765739e989c7fe7cc052308947"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/loge5/conf-cfg-ini"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-CONFCFGINI-1048973"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2"
}

GHSA-M7J4-FHG6-XF5V

Vulnerability from github – Published: 2020-12-17 21:00 – Updated: 2024-06-21 21:33
VLAI
Summary
datatables.net vulnerable to Prototype Pollution due to incomplete fix
Details

All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "datatables.net"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-12-17T18:27:07Z",
    "nvd_published_at": "2020-12-16T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.",
  "id": "GHSA-m7j4-fhg6-xf5v",
  "modified": "2024-06-21T21:33:49Z",
  "published": "2020-12-17T21:00:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28458"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DataTables/DataTablesSrc/commit/a51cbe99fd3d02aa5582f97d4af1615d11a1ea03"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DataTables/DataTablesSrc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DataTables/Dist-DataTables/blob/master/js/jquery.dataTables.js%23L2766"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240621-0006"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1051961"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1051962"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "datatables.net vulnerable to Prototype Pollution due to incomplete fix"
}

GHSA-M7MV-M566-78J6

Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-20 00:00
VLAI
Details

A vulnerability found in postgresql. On this security issue an attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there's no need to modify individual extensions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-913",
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-18T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability found in postgresql. On this security issue an attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there\u0027s no need to modify individual extensions.",
  "id": "GHSA-m7mv-m566-78j6",
  "modified": "2022-08-20T00:00:39Z",
  "published": "2022-08-19T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2625"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2113825"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202211-04"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7RG-8WVQ-846V

Vulnerability from github – Published: 2021-06-07 21:49 – Updated: 2023-08-08 19:57
VLAI
Summary
Prototype pollution in nestie
Details

Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nestie"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-04T18:32:41Z",
    "nvd_published_at": "2021-06-03T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027nestie\u0027 versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-m7rg-8wvq-846v",
  "modified": "2023-08-08T19:57:34Z",
  "published": "2021-06-07T21:49:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25947"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lukeed/nestie/commit/bc80d5898d1e5e8a3d325d355eda0c325c8dcfc2"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25947"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in nestie"
}

GHSA-M8GW-HJPR-RJV7

Vulnerability from github – Published: 2022-01-05 15:01 – Updated: 2022-01-04 17:43
VLAI
Summary
Prototype Pollution in dojo
Details

All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dojo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.16.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-04T17:43:26Z",
    "nvd_published_at": "2021-12-17T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.",
  "id": "GHSA-m8gw-hjpr-rjv7",
  "modified": "2022-01-04T17:43:26Z",
  "published": "2022-01-05T15:01:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23450"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dojo/dojo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dojo/dojo/blob/4c39c14349408fc8274e19b399ffc660512ed07c/_base/lang.js%23L172"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2313036"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2313035"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBDOJO-2313034"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2313033"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DOJO-1535223"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in dojo"
}

GHSA-M929-RG27-GJ99

Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-10-20 15:32
VLAI
Summary
Duplicate Advisory: rollbar vulnerable to prototype pollution
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r8c2-2qwq-94p6. This link is maintained to preserve external references.

Original Description

rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. A Prototype Pollution vulnerability in the utility.set function of rollbar v2.26.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "rollbar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.26.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-26T20:08:11Z",
    "nvd_published_at": "2025-09-24T20:15:32Z",
    "severity": "LOW"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-r8c2-2qwq-94p6. This link is maintained to preserve external references.\n\n### Original Description\nrollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. A Prototype Pollution vulnerability in the utility.set function of rollbar v2.26.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.",
  "id": "GHSA-m929-rg27-gj99",
  "modified": "2025-10-20T15:32:57Z",
  "published": "2025-09-24T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rollbar/rollbar.js/issues/1333"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/rollbar%402.26.4/index.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57325"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rollbar/rollbar.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: rollbar vulnerable to prototype pollution",
  "withdrawn": "2025-10-20T15:31:48Z"
}

GHSA-M939-VRFP-9V8P

Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-08-06 09:35
VLAI
Summary
js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`
Details

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-ini"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-06T09:35:43Z",
    "nvd_published_at": "2022-07-25T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with `parse` , they will pollute the prototype on the application. This can be exploited further depending on the context.",
  "id": "GHSA-m939-vrfp-9v8p",
  "modified": "2022-08-06T09:35:43Z",
  "published": "2022-07-26T00:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28461"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sdju/js-ini/commit/fa17efb7e3a7c9464508a254838d4c231784931e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sdju/js-ini"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-JSINI-1048970"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`"
}

GHSA-MH29-5H37-FV8M

Vulnerability from github – Published: 2025-11-14 14:29 – Updated: 2026-01-31 03:32
VLAI
Summary
js-yaml has prototype pollution in merge (<<)
Details

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-14T14:29:48Z",
    "nvd_published_at": "2025-11-13T16:15:57Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it\u0027s possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted.\n\n### Patches\n\nProblem is patched in js-yaml 4.1.1 and 3.14.2.\n\n### Workarounds\n\nYou can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).\n\n### References\n\nhttps://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html",
  "id": "GHSA-mh29-5h37-fv8m",
  "modified": "2026-01-31T03:32:42Z",
  "published": "2025-11-14T14:29:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64718"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodeca/js-yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "js-yaml has prototype pollution in merge (\u003c\u003c)"
}

GHSA-MH82-55CM-6GFH

Vulnerability from github – Published: 2021-06-08 23:16 – Updated: 2022-06-29 20:42
VLAI
Summary
Prototype pollution vulnerability in js-extend
Details

Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "js-extend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-27T23:04:49Z",
    "nvd_published_at": "2021-05-26T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u0027js-extend\u0027 versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-mh82-55cm-6gfh",
  "modified": "2022-06-29T20:42:39Z",
  "published": "2021-06-08T23:16:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25945"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vmattos/js-extend"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25945"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution vulnerability in js-extend"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.