GHSA-HP36-V28F-W3R4
Vulnerability from github – Published: 2026-06-19 20:47 – Updated: 2026-06-19 20:47Summary
convert() builds the nested tree by using each flat record's id and parent field values directly as object keys, with no guard against __proto__ / constructor / prototype. A record whose parent is the string "__proto__" makes temp[parent] resolve to Object.prototype, and the following initPush(...) writes attacker-controlled data onto the global prototype. Any application that passes attacker-influenced records to convert() is affected, and the base prototype methods stay intact so the pollution is stealthy.
### Details
In index.js, convert() (FlatToNested.prototype.convert):
temp = {}(line 45) andpendingChildOf = {}(line 46) are plain objects, so they inherit fromObject.prototype.- For each record,
parent = flatEl[this.config.parent](line 51) is taken verbatim from input. - Line 57:
if (temp[parent] !== undefined)— whenparent === "__proto__",temp["__proto__"]resolves via the prototype chain toObject.prototype, which is!== undefined, so the branch is taken. - Line 59:
initPush(this.config.children, temp[parent], flatEl)→ effectivelyinitPush("children", Object.prototype, flatEl). initPush(lines 4-9):Object.prototype["children"] = []thenObject.prototype["children"].push(flatEl)— attacker-controlled data is written onto the globalObject.prototype.
There is no sanitization of id / parent anywhere; they flow straight into temp[id], temp[parent], and pendingChildOf[parent] as dynamic keys.
### PoC ```js const FlatToNested = require('flat-to-nested');
new FlatToNested().convert([ { id: 1, parent: 'proto', polluted: 'PWNED' } ]);
console.log(({}).children); // => [ { id: 1, polluted: 'PWNED' } ] A freshly-created, unrelated object {} now carries an attacker-controlled children property. ({}).toString === Object.prototype.toString remains true, so existing methods are untouched (stealthy). If the consumer configures a custom children key, that arbitrary prototype property is polluted instead. ```
### Impact
Prototype pollution (CWE-1321). Any service that builds a tree from attacker-influenced flat records (the package's core purpose — e.g. records derived from a DB/REST/user input) can have Object.prototype polluted. Consequences range from application-logic corruption and denial of service to serving as a gadget toward privilege escalation or RCE depending on downstream sinks. No special privileges or user interaction required; the malicious value is ordinary input data.
### Suggested fix
Use prototype-less lookup tables so inherited keys like proto cannot be reached: var temp = Object.create(null); var pendingChildOf = Object.create(null); (Optionally also reject id/parent values equal to proto, constructor, or prototype.) Verified: with Object.create(null) for both temp and pendingChildOf, the PoC no longer pollutes Object.prototype and normal nesting output is unchanged. A patch with a regression test is ready.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "npm",
"name": "flat-to-nested"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55091"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T20:47:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n `convert()` builds the nested tree by using each flat record\u0027s `id` and `parent` field values directly as object keys, with no guard against `__proto__` / `constructor` / `prototype`. A record whose `parent` is the string `\"__proto__\"` makes `temp[parent]` resolve to `Object.prototype`, and the following `initPush(...)` writes attacker-controlled data onto the global prototype. Any application that passes attacker-influenced records to `convert()` is affected, and the base prototype methods stay intact so the pollution is stealthy.\n\n ### Details\n In `index.js`, `convert()` (`FlatToNested.prototype.convert`):\n\n - `temp = {}` (line 45) and `pendingChildOf = {}` (line 46) are plain objects, so they inherit from `Object.prototype`.\n - For each record, `parent = flatEl[this.config.parent]` (line 51) is taken verbatim from input.\n - Line 57: `if (temp[parent] !== undefined)` \u2014 when `parent === \"__proto__\"`, `temp[\"__proto__\"]` resolves via the prototype chain to `Object.prototype`, which is `!== undefined`, so the\n branch is taken.\n - Line 59: `initPush(this.config.children, temp[parent], flatEl)` \u2192 effectively `initPush(\"children\", Object.prototype, flatEl)`.\n - `initPush` (lines 4-9): `Object.prototype[\"children\"] = []` then `Object.prototype[\"children\"].push(flatEl)` \u2014 **attacker-controlled data is written onto the global `Object.prototype`.**\n\n There is no sanitization of `id` / `parent` anywhere; they flow straight into `temp[id]`, `temp[parent]`, and `pendingChildOf[parent]` as dynamic keys.\n\n ### PoC\n ```js\n const FlatToNested = require(\u0027flat-to-nested\u0027);\n\n new FlatToNested().convert([\n { id: 1, parent: \u0027__proto__\u0027, polluted: \u0027PWNED\u0027 }\n ]);\n\n console.log(({}).children); // =\u003e [ { id: 1, polluted: \u0027PWNED\u0027 } ]\n A freshly-created, unrelated object {} now carries an attacker-controlled children property. ({}).toString === Object.prototype.toString remains true, so existing methods are untouched (stealthy). If the consumer configures a custom children key, that arbitrary prototype property is polluted instead.\n ```\n \n ### Impact\n\n Prototype pollution (CWE-1321). Any service that builds a tree from attacker-influenced flat records (the package\u0027s core purpose \u2014 e.g. records derived from a DB/REST/user input) can have Object.prototype polluted. Consequences range from application-logic corruption and denial of service to serving as a gadget toward privilege escalation or RCE depending on downstream sinks. No special privileges or user interaction required; the malicious value is ordinary input data.\n\n ### Suggested fix\n\n Use prototype-less lookup tables so inherited keys like __proto__ cannot be reached:\n var temp = Object.create(null);\n var pendingChildOf = Object.create(null);\n (Optionally also reject id/parent values equal to __proto__, constructor, or prototype.) Verified: with Object.create(null) for both temp and pendingChildOf, the PoC no longer pollutes Object.prototype and normal nesting output is unchanged. A patch with a regression test is ready.",
"id": "GHSA-hp36-v28f-w3r4",
"modified": "2026-06-19T20:47:52Z",
"published": "2026-06-19T20:47:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/joaonuno/flat-to-nested-js/security/advisories/GHSA-hp36-v28f-w3r4"
},
{
"type": "WEB",
"url": "https://github.com/joaonuno/flat-to-nested-js/commit/680a5ebe1194edda16fa93baaa56ff14fe0e3d7f"
},
{
"type": "PACKAGE",
"url": "https://github.com/joaonuno/flat-to-nested-js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.