Common Weakness Enumeration

CWE-1321

Allowed

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

782 vulnerabilities reference this CWE, most recent first.

GHSA-WWG2-2CRQ-6GRR

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-06-17 21:38
VLAI
Summary
Prototype pollution in @strikeentco/set
Details

Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strikeentco/set"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T21:38:52Z",
    "nvd_published_at": "2020-11-10T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Prototype pollution vulnerability in \u0027@strikeentco/set\u0027 version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-wwg2-2crq-6grr",
  "modified": "2022-06-17T21:38:52Z",
  "published": "2022-05-24T17:34:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strikeentco/set/commit/102cc6b2e1d1e0c928ced87e75df759d5541ff60"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strikeentco/set"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-28267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype pollution in @strikeentco/set"
}

GHSA-WWXH-74FX-33C6

Vulnerability from github – Published: 2023-05-01 14:01 – Updated: 2023-05-01 14:01
VLAI
Summary
Possible prototype pollution in metadata record, when using meta decorator
Details

Impact

Possible prototype pollution for the MetadataRecord, when merged with a base class' metadata object, in meta decorator from the @aedart/support package.

The likelihood is questionable, given that a class' metadata can only be set or altered when the class is decorated via meta(). Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.

Patches

Has been patched in version 0.6.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@aedart/support"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-01T14:01:02Z",
    "nvd_published_at": "2023-04-28T21:15:09Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nPossible prototype pollution for the `MetadataRecord`, when merged with a base class\u0027 metadata object, in `meta` decorator from the `@aedart/support` package.\n\nThe likelihood is questionable, given that a class\u0027 metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.\n### Patches\n\nHas been patched in version `0.6.1`.\n",
  "id": "GHSA-wwxh-74fx-33c6",
  "modified": "2023-05-01T14:01:02Z",
  "published": "2023-05-01T14:01:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30857"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aedart/ion"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Possible prototype pollution in metadata record, when using meta decorator"
}

GHSA-WX5G-37JH-9GCR

Vulnerability from github – Published: 2022-10-20 12:00 – Updated: 2022-10-21 19:01
VLAI
Details

Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-20T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js.",
  "id": "GHSA-wx5g-37jh-9gcr",
  "modified": "2022-10-21T19:01:14Z",
  "published": "2022-10-20T12:00:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS/issues/5699"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXFJ-84XF-7GXV

Vulnerability from github – Published: 2023-02-28 06:30 – Updated: 2023-03-08 23:14
VLAI
Summary
mde utilities contains Prototype Pollution
Details

All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "utilities"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-06T21:55:12Z",
    "nvd_published_at": "2023-02-28T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.",
  "id": "GHSA-wxfj-84xf-7gxv",
  "modified": "2023-03-08T23:14:00Z",
  "published": "2023-02-28T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mde/utilities/issues/29"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-UTILITIES-3184491"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "mde utilities contains Prototype Pollution"
}

GHSA-X2W5-725J-GF2G

Vulnerability from github – Published: 2022-04-20 16:21 – Updated: 2022-05-26 19:43
VLAI
Summary
Prototype Pollution in convict
Details

Impact

  • An attacker can inject attributes that are used in other components
  • An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.

Patches

The problem is patched in convict@6.2.3. Users should upgrade to convict@6.2.3.

Workarounds

No way for users to fix or remediate the vulnerability without upgrading

References

  • https://www.huntr.dev/bounties/1-npm-convict/
  • 384

  • 3b86be087d8f14681a9c889d45da7fe3ad9cd880
  • 1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75

For more information

If you have any questions or comments about this advisory: add your question as a comment in #384

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "convict"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-22143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-20T16:21:03Z",
    "nvd_published_at": "2022-05-01T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n* An attacker can inject attributes that are used in other components\n* An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.\n\nThe main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it\u0027s unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.\n\n### Patches\n\nThe problem is patched in `convict@6.2.3`. Users should upgrade to `convict@6.2.3`.\n\n### Workarounds\n\nNo way for users to fix or remediate the vulnerability without upgrading\n\n### References\n\n* https://www.huntr.dev/bounties/1-npm-convict/\n* #384\n* 3b86be087d8f14681a9c889d45da7fe3ad9cd880\n* 1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75\n\n### For more information\n\nIf you have any questions or comments about this advisory: \nadd your question as a comment in #384 \n",
  "id": "GHSA-x2w5-725j-gf2g",
  "modified": "2022-05-26T19:43:23Z",
  "published": "2022-04-20T16:21:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22143"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/pull/384"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/releases/tag/v6.2.2"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-CONVICT-2340604"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/1-npm-convict"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in convict"
}

GHSA-X3CC-X39P-42QX

Vulnerability from github – Published: 2023-06-13 12:44 – Updated: 2023-12-14 22:27
VLAI
Summary
fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name
Details

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-13T12:44:34Z",
    "nvd_published_at": "2023-12-12T17:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAs a part of this vulnerability, user was able to se code using `__proto__` as a tag or attribute name.\n\n```js\nconst { XMLParser, XMLBuilder, XMLValidator} = require(\"fast-xml-parser\");\n\nlet XMLdata = \"\u003c__proto__\u003e\u003cpolluted\u003ehacked\u003c/polluted\u003e\u003c/__proto__\u003e\"\n\nconst parser = new XMLParser();\nlet jObj = parser.parse(XMLdata);\n\nconsole.log(jObj.polluted) // should return hacked\n``` \n\n### Patches\nThe problem has been patched in v4.1.2\n\n### Workarounds\nUser can check for \"__proto__\" in the XML string before parsing it to the parser.\n\n### References\nhttps://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7\n",
  "id": "GHSA-x3cc-x39p-42qx",
  "modified": "2023-12-14T22:27:59Z",
  "published": "2023-06-13T12:44:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26920"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-793h-6f7r-6qvm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name"
}

GHSA-X3M3-4WPV-5VGC

Vulnerability from github – Published: 2024-07-01 15:32 – Updated: 2024-07-25 15:25
VLAI
Summary
jrburke requirejs vulnerable to prototype pollution
Details

jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "requirejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-10T16:50:19Z",
    "nvd_published_at": "2024-07-01T13:15:05Z",
    "severity": "HIGH"
  },
  "details": "jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function `s.contexts._.configure`. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.",
  "id": "GHSA-x3m3-4wpv-5vgc",
  "modified": "2024-07-25T15:25:40Z",
  "published": "2024-07-01T15:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38999"
    },
    {
      "type": "WEB",
      "url": "https://github.com/requirejs/r.js/issues/1015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/requirejs/requirejs/issues/1854"
    },
    {
      "type": "WEB",
      "url": "https://github.com/requirejs/requirejs/pull/1856/commits/ebd7a2ff71473542fa132d0d15c10fb4ed1539e1"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/requirejs/r.js"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-REQUIREJS-5416713"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "jrburke requirejs vulnerable to prototype pollution"
}

GHSA-X3WR-V4WX-5QPC

Vulnerability from github – Published: 2021-06-21 17:14 – Updated: 2022-06-29 20:41
VLAI
Summary
Prototype Pollution
Details

Prototype pollution vulnerability in ‘expand-hash’ versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "expand-hash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-14T19:29:17Z",
    "nvd_published_at": "2021-06-10T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Prototype pollution vulnerability in \u2018expand-hash\u2019 versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.",
  "id": "GHSA-x3wr-v4wx-5qpc",
  "modified": "2022-06-29T20:41:54Z",
  "published": "2021-06-21T17:14:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25948"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/doowb/expand-hash"
    },
    {
      "type": "WEB",
      "url": "https://github.com/doowb/expand-hash/blob/556913f6c2f05848110b5b8261cfc78e5ce3dc77/index.js#L19"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25948"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution"
}

GHSA-X5M8-2R8V-8F97

Vulnerability from github – Published: 2022-03-18 00:01 – Updated: 2022-03-29 22:05
VLAI
Summary
Prototype Pollution in libnested
Details

The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. Note: This vulnerability derives from an incomplete fix for CVE-2020-28283

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "libnested"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-18T22:57:55Z",
    "nvd_published_at": "2022-03-17T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930)",
  "id": "GHSA-x5m8-2r8v-8f97",
  "modified": "2022-03-29T22:05:38Z",
  "published": "2022-03-18T00:01:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25352"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dominictarr/libnested/commit/c1129865d75fbe52b5a4f755ad3110ca5420f2e1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dominictarr/libnested"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dominictarr/libnested/blob/master/index.js%23L22"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-LIBNESTED-2342117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in libnested"
}

GHSA-X5R6-X823-9848

Vulnerability from github – Published: 2021-05-10 19:15 – Updated: 2023-09-05 22:44
VLAI
Summary
Arbitrary Code Execution in json-ptr
Details

npm json-ptr before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the set operation when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "json-ptr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-400",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-19T23:01:34Z",
    "nvd_published_at": "2020-11-10T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "npm `json-ptr` before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the [set operation](https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.",
  "id": "GHSA-x5r6-x823-9848",
  "modified": "2023-09-05T22:44:45Z",
  "published": "2021-05-10T19:15:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/418sec/json-ptr/pull/3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flitbit/json-ptr/commit/2539e3494c80af1eef24f0f433654a61f255f011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flitbit/json-ptr/blob/master/src/util.ts%23L174"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038396"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-JSONPTR-1016939"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/2-npm-json-ptr"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/json-ptr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary Code Execution in json-ptr"
}

Mitigation
Implementation

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

Mitigation
Architecture and Design

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

Mitigation
Implementation

Strategy: Input Validation

When handling untrusted objects, validating using a schema can be used.

Mitigation
Implementation

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Mitigation
Implementation

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.