CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
785 vulnerabilities reference this CWE, most recent first.
GHSA-XCG2-9PP4-J82X
Vulnerability from github – Published: 2025-10-23 20:31 – Updated: 2025-10-24 19:28Impact
Prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible.
Patches
Fixed in 2.26.5 and 3.0.0-beta5.
Workarounds
Ensure that values passed to rollbar.configure() do not contain untrusted input.
References
Fixed in https://github.com/rollbar/rollbar.js/pull/1394 (2.26.x) and https://github.com/rollbar/rollbar.js/pull/1390 (3.x)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.26.4"
},
"package": {
"ecosystem": "npm",
"name": "rollbar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.26.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.0-beta4"
},
"package": {
"ecosystem": "npm",
"name": "rollbar"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-alpha1"
},
{
"fixed": "3.0.0-beta5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62517"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-23T20:31:30Z",
"nvd_published_at": "2025-10-23T20:15:41Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nPrototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution is possible.\n\n### Patches\n\nFixed in 2.26.5 and 3.0.0-beta5.\n\n### Workarounds\n\nEnsure that values passed to `rollbar.configure()` do not contain untrusted input.\n\n### References\n\nFixed in https://github.com/rollbar/rollbar.js/pull/1394 (2.26.x) and https://github.com/rollbar/rollbar.js/pull/1390 (3.x)",
"id": "GHSA-xcg2-9pp4-j82x",
"modified": "2025-10-24T19:28:46Z",
"published": "2025-10-23T20:31:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62517"
},
{
"type": "WEB",
"url": "https://github.com/rollbar/rollbar.js/pull/1390"
},
{
"type": "WEB",
"url": "https://github.com/rollbar/rollbar.js/pull/1394"
},
{
"type": "WEB",
"url": "https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb"
},
{
"type": "WEB",
"url": "https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343"
},
{
"type": "PACKAGE",
"url": "https://github.com/rollbar/rollbar.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "rollbar vulnerable to Prototype Pollution in merge()"
}
GHSA-XCVV-84J5-JW9H
Vulnerability from github – Published: 2018-07-26 15:12 – Updated: 2023-03-01 01:46Versions of assign-deep before 0.4.7 are vulnerable to prototype pollution via merging functions.
Recommendation
Update to version 0.4.7 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "assign-deep"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3720"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-471"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:03:01Z",
"nvd_published_at": "2018-06-07T02:29:00Z",
"severity": "HIGH"
},
"details": "Versions of `assign-deep` before 0.4.7 are vulnerable to prototype pollution via merging functions.\n\n\n## Recommendation\n\nUpdate to version 0.4.7 or later.",
"id": "GHSA-xcvv-84j5-jw9h",
"modified": "2023-03-01T01:46:49Z",
"published": "2018-07-26T15:12:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3720"
},
{
"type": "WEB",
"url": "https://github.com/jonschlinkert/assign-deep/commit/19953a8c089b0328c470acaaaf6accdfcb34da11"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/310707"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-xcvv-84j5-jw9h"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/579"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in assign-deep"
}
GHSA-XFQM-J7PC-XRFC
Vulnerability from github – Published: 2025-09-24 21:30 – Updated: 2025-09-25 16:46The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., proto ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.3.0"
},
"package": {
"ecosystem": "npm",
"name": "messageformat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0-beta.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57349"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-25T16:46:42Z",
"nvd_published_at": "2025-09-24T19:15:40Z",
"severity": "LOW"
},
"details": "The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due to improper handling of message key paths in versions prior to 2.3.0. The flaw arises when processing nested message keys containing special characters (e.g., __proto__ ), which can lead to unintended modification of the JavaScript Object prototype. This vulnerability may allow a remote attacker to inject properties into the global object prototype via specially crafted message input, potentially causing denial of service or other undefined behaviors in applications using the affected component.",
"id": "GHSA-xfqm-j7pc-xrfc",
"modified": "2025-09-25T16:46:42Z",
"published": "2025-09-24T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57349"
},
{
"type": "WEB",
"url": "https://github.com/messageformat/messageformat/issues/452"
},
{
"type": "PACKAGE",
"url": "https://github.com/messageformat/messageformat"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "messageformat has a prototype pollution vulnerability"
}
GHSA-XG68-CHX2-253G
Vulnerability from github – Published: 2021-05-24 19:53 – Updated: 2025-08-14 22:15Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam allows a malicious user to inject properties into Object.prototype.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jquery-deparam"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-20087"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T21:58:11Z",
"nvd_published_at": "2021-04-23T18:15:00Z",
"severity": "HIGH"
},
"details": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027) in jquery-deparam allows a malicious user to inject properties into Object.prototype.",
"id": "GHSA-xg68-chx2-253g",
"modified": "2025-08-14T22:15:23Z",
"published": "2021-05-24T19:53:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20087"
},
{
"type": "WEB",
"url": "https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/jquery-deparam.md"
},
{
"type": "WEB",
"url": "https://github.com/RetireJS/retire.js/blob/6da45fcb6a3425e55ee8181b2ac35168879bf086/repository/jsrepository-master.json#L824-L842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in jquery-deparam"
}
GHSA-XH38-HRRG-8CJV
Vulnerability from github – Published: 2024-01-05 18:30 – Updated: 2024-01-05 18:30A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network.
We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later
{
"affected": [],
"aliases": [
"CVE-2023-39296"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-05T17:15:09Z",
"severity": "HIGH"
},
"details": "A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\n",
"id": "GHSA-xh38-hrrg-8cjv",
"modified": "2024-01-05T18:30:25Z",
"published": "2024-01-05T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39296"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-23-64"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJ6R-WGR5-8RXC
Vulnerability from github – Published: 2025-02-12 18:31 – Updated: 2025-02-21 12:32In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.
{
"affected": [],
"aliases": [
"CVE-2024-11628"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T17:15:22Z",
"severity": "MODERATE"
},
"details": "In Progress\u00ae Telerik\u00ae Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.",
"id": "GHSA-xj6r-wgr5-8rxc",
"modified": "2025-02-21T12:32:11Z",
"published": "2025-02-12T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11628"
},
{
"type": "WEB",
"url": "https://www.telerik.com/kendo-vue-ui/components/knowledge-base/kb-security-protoype-pollution-2024-11628"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XP7R-J8R6-J9H3
Vulnerability from github – Published: 2026-05-18 16:43 – Updated: 2026-06-09 10:50Summary
parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process.
Details
The vulnerability is in handlePathPart in src/index.ts, which performs currentObject[pathPart.path] and currentObject[pathPart.path] = val for object-type path segments without rejecting reserved keys. When the segment is __proto__, the read returns Object.prototype, which then becomes the next traversal target, and the next assignment lands on the prototype.
Reproduction on a fresh install of parse-nested-form-data@1.0.0:
import { parseFormData } from 'parse-nested-form-data';
const fd = new FormData();
fd.append('__proto__.polluted', 'yes');
parseFormData(fd);
console.log(({}).polluted); // -> 'yes'
console.log(([]).polluted); // -> 'yes'
Equivalent vectors:
__proto__[polluted]=yesa.__proto__.polluted=yes(mid-path traversal)a[0].__proto__.polluted=yes(mid-path through an array element)
constructor.prototype.x was incidentally blocked by an existing duplicate-key guard (because Object is a function and failed the JSON-object check), but relying on that was fragile, so the fix denylists constructor and prototype as well as __proto__. The array branch (a[0], a[]) was not exploitable in practice - the regex restricts array-index segments to digit characters - but the forbidden-key check is applied before the object/array type branching as defense in depth, so any future change to the regex cannot reintroduce the issue.
Impact
Any application that passes attacker-controlled FormData (or any Iterable<[string, string | File]>) to parseFormData() - typically an HTTP server processing form submissions - allows an unauthenticated remote client to mutate Object.prototype of the running process via a single field name. Concrete consequences depend on the host application and may include corrupted application state, altered control flow in code that reads ambient properties off objects, and denial of service.
Patches
Fixed in 1.0.1. handlePathPart now throws a new ForbiddenKeyError (also exported) when any path segment is __proto__, constructor, or prototype, regardless of whether the segment would be used as an object key or an array index. The check runs before object/array type branching for defense in depth.
Upgrade:
npm install parse-nested-form-data@^1.0.1
Workarounds
If upgrading is not possible, validate field names before calling parseFormData():
const FORBIDDEN = /(^|\.)(__proto__|constructor|prototype)($|[.[])/;
for (const [name] of formData.entries()) {
if (FORBIDDEN.test(name)) throw new Error('Unsafe field name');
}
Resources
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- Fix commit: 527ad58eb486e32438f7198fb88315c20449d792
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0"
},
"package": {
"ecosystem": "npm",
"name": "parse-nested-form-data"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45302"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T16:43:12Z",
"nvd_published_at": "2026-06-01T19:16:51Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`parseFormData()` walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with `__proto__`, or contains `.__proto__.` mid-path, causes the parser to traverse onto `Object.prototype` and assign properties there, polluting the prototype chain of every plain object in the running process.\n\n## Details\n\nThe vulnerability is in `handlePathPart` in `src/index.ts`, which performs `currentObject[pathPart.path]` and `currentObject[pathPart.path] = val` for object-type path segments without rejecting reserved keys. When the segment is `__proto__`, the read returns `Object.prototype`, which then becomes the next traversal target, and the next assignment lands on the prototype.\n\nReproduction on a fresh install of `parse-nested-form-data@1.0.0`:\n\n```js\nimport { parseFormData } from \u0027parse-nested-form-data\u0027;\nconst fd = new FormData();\nfd.append(\u0027__proto__.polluted\u0027, \u0027yes\u0027);\nparseFormData(fd);\nconsole.log(({}).polluted); // -\u003e \u0027yes\u0027\nconsole.log(([]).polluted); // -\u003e \u0027yes\u0027\n```\n\nEquivalent vectors:\n\n- `__proto__[polluted]=yes`\n- `a.__proto__.polluted=yes` (mid-path traversal)\n- `a[0].__proto__.polluted=yes` (mid-path through an array element)\n\n`constructor.prototype.x` was incidentally blocked by an existing duplicate-key guard (because `Object` is a function and failed the JSON-object check), but relying on that was fragile, so the fix denylists `constructor` and `prototype` as well as `__proto__`. The array branch (`a[0]`, `a[]`) was not exploitable in practice - the regex restricts array-index segments to digit characters - but the forbidden-key check is applied before the object/array type branching as defense in depth, so any future change to the regex cannot reintroduce the issue.\n\n## Impact\n\nAny application that passes attacker-controlled `FormData` (or any `Iterable\u003c[string, string | File]\u003e`) to `parseFormData()` - typically an HTTP server processing form submissions - allows an unauthenticated remote client to mutate `Object.prototype` of the running process via a single field name. Concrete consequences depend on the host application and may include corrupted application state, altered control flow in code that reads ambient properties off objects, and denial of service.\n\n## Patches\n\nFixed in **1.0.1**. `handlePathPart` now throws a new `ForbiddenKeyError` (also exported) when any path segment is `__proto__`, `constructor`, or `prototype`, regardless of whether the segment would be used as an object key or an array index. The check runs before object/array type branching for defense in depth.\n\nUpgrade:\n\n```\nnpm install parse-nested-form-data@^1.0.1\n```\n\n## Workarounds\n\nIf upgrading is not possible, validate field names before calling `parseFormData()`:\n\n```js\nconst FORBIDDEN = /(^|\\.)(__proto__|constructor|prototype)($|[.[])/;\nfor (const [name] of formData.entries()) {\n if (FORBIDDEN.test(name)) throw new Error(\u0027Unsafe field name\u0027);\n}\n```\n\n## Resources\n\n- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)\n- Fix commit: 527ad58eb486e32438f7198fb88315c20449d792",
"id": "GHSA-xp7r-j8r6-j9h3",
"modified": "2026-06-09T10:50:53Z",
"published": "2026-05-18T16:43:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45302"
},
{
"type": "WEB",
"url": "https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792"
},
{
"type": "PACKAGE",
"url": "https://github.com/milamer/parse-nested-form-data"
},
{
"type": "WEB",
"url": "https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names"
}
GHSA-XP9C-82X8-7F67
Vulnerability from github – Published: 2021-02-26 16:31 – Updated: 2021-09-22 13:55Impact
Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime.
Patches
The vulnerability is patched in the 1.2.8 release.
Workarounds
A workaround is to ensure only authorised users are able to access the editor url.
For more information
If you have any questions or comments about this advisory: * Email us at team@nodered.org
Acknowledgements
Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@node-red/runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21297"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-26T16:22:38Z",
"nvd_published_at": "2021-02-26T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nNode-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime.\n\n### Patches\n\nThe vulnerability is patched in the 1.2.8 release.\n\n### Workarounds\n\nA workaround is to ensure only authorised users are able to access the editor url.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@nodered.org](mailto:team@nodered.org)\n\n### Acknowledgements\n\nThanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.",
"id": "GHSA-xp9c-82x8-7f67",
"modified": "2021-09-22T13:55:00Z",
"published": "2021-02-26T16:31:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21297"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-red/node-red"
},
{
"type": "WEB",
"url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@node-red/editor-api"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@node-red/runtime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in Node-Red"
}
GHSA-XPP5-M7FR-WP25
Vulnerability from github – Published: 2025-05-06 18:30 – Updated: 2025-05-06 18:30A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.
{
"affected": [],
"aliases": [
"CVE-2025-25014"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-06T18:15:37Z",
"severity": "CRITICAL"
},
"details": "A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints.",
"id": "GHSA-xpp5-m7fr-wp25",
"modified": "2025-05-06T18:30:39Z",
"published": "2025-05-06T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25014"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/kibana-8-17-6-8-18-1-or-9-0-1-security-update-esa-2025-07/377868"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XPRV-WVH7-QQQX
Vulnerability from github – Published: 2022-11-09 20:47 – Updated: 2023-08-21 18:16Impact
Keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.
Patches
Improved keyword detection.
Workarounds
Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.
Collaborators
Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative
References
- https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.10.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41878"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-09T20:47:27Z",
"nvd_published_at": "2022-11-10T23:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nKeywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option.\n\n### Patches\n\nImproved keyword detection.\n\n### Workarounds\n\nConfigure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.\n\n### Collaborators\n\nMikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative\n\n### References\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx\n",
"id": "GHSA-xprv-wvh7-qqqx",
"modified": "2023-08-21T18:16:54Z",
"published": "2022-11-09T20:47:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41878"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/8301"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/8302"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/0a2d412e265992d53a670011afd9d2578562adc3"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/6728da1e3591db1e27031d335d64d8f25546a06f"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers"
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.