Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

783 vulnerabilities reference this CWE, most recent first.

GHSA-VHXC-FHM5-QCP9

Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-03-18 22:56
VLAI
Summary
Prototype Pollution in bodymen
Details

The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a proto payload. Note: This vulnerability derives from an incomplete fix to CVE-2019-10792

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "bodymen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T22:56:29Z",
    "nvd_published_at": "2022-03-17T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897)",
  "id": "GHSA-vhxc-fhm5-qcp9",
  "modified": "2022-03-18T22:56:29Z",
  "published": "2022-03-18T00:01:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25296"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/diegohaz/bodymen"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-BODYMEN-2342623"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in bodymen"
}

GHSA-VJ54-72F3-P5JV

Vulnerability from github – Published: 2025-08-26 22:33 – Updated: 2025-08-27 14:27
VLAI
Summary
devalue prototype pollution vulnerability
Details

1. devalue.parse allows __proto__ to be set

A string passed to devalue.parse could represent an object with a __proto__ property, which would assign a prototype to an object while allowing properties to be overwritten:

class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5

2. devalue.parse allows array prototype methods to be assigned to object

In a payload constructed with devalue.stringify, values are represented as array indices, where the array contains the 'hydrated' values:

devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]

devalue.parse does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0

This could be used by a creative attacker to bypass server-side validation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "devalue"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-26T22:33:14Z",
    "nvd_published_at": "2025-08-26T23:15:35Z",
    "severity": "HIGH"
  },
  "details": "## 1. `devalue.parse` allows `__proto__` to be set\n\nA string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:\n\n```js\nclass Vector {\n  constructor(x, y) {\n    this.x = x;\n    this.y = y;\n  }\n\n  get magnitude() {\n    return (this.x ** 2 + this.y ** 2) ** 0.5;\n  }\n}\n\nconst payload = `[{\"x\":1,\"y\":2,\"magnitude\":3,\"__proto__\":4},3,4,\"nope\",[\"Vector\",5],[6,7],8,9]`;\n\nconst vector = devalue.parse(payload, {\n  Vector: ([x, y]) =\u003e new Vector(x, y)\n});\n\nconsole.log(\"Is vector\", vector instanceof Vector); // true\nconsole.log(vector.x) // 3\nconsole.log(vector.y) // 4\nconsole.log(vector.magnitude); // \"nope\" instead of 5\n```\n\n## 2. `devalue.parse` allows array prototype methods to be assigned to object\n\nIn a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the \u0027hydrated\u0027 values:\n\n```js\ndevalue.stringify({ message: \u0027hello\u0027 }); // [{\"message\":1},\"hello\"]\n```\n\n`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:\n\n```js\nconst object = devalue.parse(\u0027[{\"toString\":\"push\"}]\u0027);\nobject.toString(); // 0\n```\n\nThis could be used by a creative attacker to bypass server-side validation.",
  "id": "GHSA-vj54-72f3-p5jv",
  "modified": "2025-08-27T14:27:08Z",
  "published": "2025-08-26T22:33:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/devalue"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "devalue prototype pollution vulnerability"
}

GHSA-VJ72-MWRJ-M2XQ

Vulnerability from github – Published: 2021-08-10 16:09 – Updated: 2021-08-31 21:21
VLAI
Summary
Prototype Pollution in deepmergefn
Details

All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "deepmergefn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-02T18:38:21Z",
    "nvd_published_at": "2021-07-28T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.\n\n",
  "id": "GHSA-vj72-mwrj-m2xq",
  "modified": "2021-08-31T21:21:45Z",
  "published": "2021-08-10T16:09:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23417"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jesusgm/deepmergefn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jesusgm/deepmergefn/blob/master/index.js#23L6"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DEEPMERGEFN-1310984"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in deepmergefn"
}

GHSA-VP77-FQQP-79J8

Vulnerability from github – Published: 2021-04-13 15:20 – Updated: 2021-03-22 22:39
VLAI
Summary
Prototype Pollution in decal
Details

This affects all versions of package decal. The vulnerability is in the set function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "decal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-22T22:39:06Z",
    "nvd_published_at": "2021-02-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "This affects all versions of package decal. The vulnerability is in the set function.",
  "id": "GHSA-vp77-fqqp-79j8",
  "modified": "2021-03-22T22:39:06Z",
  "published": "2021-04-13T15:20:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gigafied/decal.js/blob/master/src/utils/set.js%23L45-L73"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-DECAL-1051007"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/decal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in decal"
}

GHSA-VPF5-82C8-9V36

Vulnerability from github – Published: 2021-11-23 21:15 – Updated: 2022-07-05 18:01
VLAI
Summary
Prototype Pollution in algoliasearch-helper
Details

The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "algoliasearch-helper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-22T19:34:30Z",
    "nvd_published_at": "2021-11-19T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.",
  "id": "GHSA-vpf5-82c8-9v36",
  "modified": "2022-07-05T18:01:27Z",
  "published": "2021-11-23T21:15:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/algolia/algoliasearch-helper-js/commit/4ff542b70b92a6b81cce8b9255700b0bc0817edd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/algolia/algoliasearch-helper-js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/algolia/algoliasearch-helper-js/blob/3.5.5/src/SearchParameters/index.js%23L291"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in algoliasearch-helper"
}

GHSA-VPGW-FFH3-648H

Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-22 20:20
VLAI
Summary
Prototype Pollution in fullpage.js
Details

fullPage utils are available to developers using window.fp_utils. They can use these utils for their own use-case (other than fullPage) as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability.

Javascript is "prototype" language which means when a new "object" is created, it carries the predefined properties and methods of an "object" with itself like toString, constructor etc. By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that "object" type. If the victim developer has used that property anywhere in the code, then it will have severe effect on the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fullpage.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T20:20:05Z",
    "nvd_published_at": "2022-04-11T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "fullPage utils are available to developers using window.fp_utils. They can use these utils for their own use-case (other than fullPage) as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability.\n\nJavascript is \"prototype\" language which means when a new \"object\" is created, it carries the predefined properties and methods of an \"object\" with itself like toString, constructor etc. By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that \"object\" type. If the victim developer has used that property anywhere in the code, then it will have severe effect on the application.",
  "id": "GHSA-vpgw-ffh3-648h",
  "modified": "2022-04-22T20:20:55Z",
  "published": "2022-04-12T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1295"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alvarotrigo/fullpage.js/commit/bf62492a22e5d296e63c3ed918a42fc5645a0d48"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alvarotrigo/fullpage.js"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3b9d450c-24ac-4037-b04d-4d4dafbf593a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in fullpage.js"
}

GHSA-VPMM-X3FM-QR5C

Vulnerability from github – Published: 2026-06-18 13:05 – Updated: 2026-06-18 13:05
VLAI
Summary
jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
Details

Summary

Jodit.modules.Helpers.set(chain, value, obj) walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype (prototype pollution).

Affected

  • Package: jodit (npm)
  • Versions: < 4.12.26
  • Public API: Jodit.modules.Helpers.set(chain, value, obj)

Proof of Concept

const { Jodit } = require('jodit');
delete Object.prototype.polluted;
Jodit.modules.Helpers.set('__proto__.polluted', 'yes', {});
console.log(({}).polluted); // "yes" (before the fix)
delete Object.prototype.polluted;

Impact

Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.

Patch

Fixed in 4.12.26 by rejecting any chain whose segments include __proto__, constructor, or prototype, reusing the same guard introduced for Jodit.configure() in 4.12.18.

Credit

Responsibly reported by Junming Wu.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jodit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.12.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:05:01Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n`Jodit.modules.Helpers.set(chain, value, obj)` walks the dot-separated `chain`, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) `__proto__`, `constructor`, or `prototype` lets the final assignment reach and mutate `Object.prototype` (prototype pollution).\n\n### Affected\n- Package: `jodit` (npm)\n- Versions: `\u003c 4.12.26`\n- Public API: `Jodit.modules.Helpers.set(chain, value, obj)`\n\n### Proof of Concept\n```js\nconst { Jodit } = require(\u0027jodit\u0027);\ndelete Object.prototype.polluted;\nJodit.modules.Helpers.set(\u0027__proto__.polluted\u0027, \u0027yes\u0027, {});\nconsole.log(({}).polluted); // \"yes\" (before the fix)\ndelete Object.prototype.polluted;\n```\n\n### Impact\nApplications that pass a user-controlled or partially user-controlled key path into `Jodit.modules.Helpers.set()` could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.\n\n### Patch\nFixed in 4.12.26 by rejecting any `chain` whose segments include `__proto__`, `constructor`, or `prototype`, reusing the same guard introduced for `Jodit.configure()` in 4.12.18.\n\n### Credit\nResponsibly reported by Junming Wu.",
  "id": "GHSA-vpmm-x3fm-qr5c",
  "modified": "2026-06-18T13:05:01Z",
  "published": "2026-06-18T13:05:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xdan/jodit/security/advisories/GHSA-vpmm-x3fm-qr5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xdan/jodit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()"
}

GHSA-VQ33-26PR-R4H6

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2024-04-01 22:02
VLAI
Summary
flattenizer vulnerable to prototype pollution
Details

Overview

Prototype pollution vulnerability in ‘flattenizer’ versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.

Details

The NPM module 'flattenizer' can be abused by Prototype Pollution vulnerability since the function 'unflatten()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

There is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property polluted will be directly be assigned thereby polluting the Object prototype. Later in the code, if there is a check to validate polluted the valued would be substituted as "true" as it had been polluted.

var flattenizer = require("flattenizer")
flattenizer.unflatten({'__proto__.polluted': true});
console.log(polluted);
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flattenizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.5"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-01T22:02:50Z",
    "nvd_published_at": "2020-12-29T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Overview\nPrototype pollution vulnerability in \u2018flattenizer\u2019 versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.\n\n### Details\nThe NPM module \u0027flattenizer\u0027 can be abused by Prototype Pollution vulnerability since the function \u0027unflatten()\u0027 did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.\n\n### PoC Details\nThere is no validation before assigning the property to check whether the assigned argument is the Object\u0027s own property or not, the property `polluted` will be directly be assigned thereby polluting the Object prototype. Later in the code, if there is a check to validate `polluted` the valued would be substituted as \"true\" as it had been polluted.\n\n```js\nvar flattenizer = require(\"flattenizer\")\nflattenizer.unflatten({\u0027__proto__.polluted\u0027: true});\nconsole.log(polluted);\n```",
  "id": "GHSA-vq33-26pr-r4h6",
  "modified": "2024-04-01T22:02:50Z",
  "published": "2022-05-24T17:37:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28279"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sahellebusch/flattenizer/pull/13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sahellebusch/flattenizer/commit/3c6a6353df7c8879e931973b81a49a47f6c2b399"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210104205035/https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28279"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "flattenizer vulnerable to prototype pollution"
}

GHSA-VQQW-FR4W-V889

Vulnerability from github – Published: 2024-12-18 12:30 – Updated: 2026-04-01 18:32
VLAI
Details

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mighty Digital Partners allows Object Injection.This issue affects Partners: from n/a through 0.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T12:15:12Z",
    "severity": "CRITICAL"
  },
  "details": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) vulnerability in Mighty Digital Partners allows Object Injection.This issue affects Partners: from n/a through 0.2.0.",
  "id": "GHSA-vqqw-fr4w-v889",
  "modified": "2026-04-01T18:32:52Z",
  "published": "2024-12-18T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56059"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/partners/vulnerability/wordpress-partners-plugin-0-2-0-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR5M-3H59-7JCP

Vulnerability from github – Published: 2021-07-01 17:01 – Updated: 2022-05-26 19:57
VLAI
Summary
Prototype Pollution in think-helper
Details

Impact

The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Patches

think-helper@1.1.3 patched it, anyone used think-helper should upgrade to >=1.1.3 version.

References

https://cwe.mitre.org/data/definitions/1321.html

For more information

If you have any questions or comments about this advisory: * Open an issue in thinkjs/thinkjs * Email us at i@imnerd.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "think-helper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-30T17:40:38Z",
    "nvd_published_at": "2021-06-30T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.\n\n### Patches\n\n`think-helper@1.1.3` patched it, anyone used `think-helper` should upgrade to `\u003e=1.1.3` version.\n\n### References\n\nhttps://cwe.mitre.org/data/definitions/1321.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [thinkjs/thinkjs](https://github.com/thinkjs/thinkjs)\n* Email us at [i@imnerd.org](mailto:i@imnerd.org)\n",
  "id": "GHSA-vr5m-3h59-7jcp",
  "modified": "2022-05-26T19:57:25Z",
  "published": "2021-07-01T17:01:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thinkjs/think-helper/security/advisories/GHSA-vr5m-3h59-7jcp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32736"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thinkjs/think-helper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in think-helper"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.