CVE-2019-10792
Description
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bodymen before 1.1.1 is vulnerable to prototype pollution via the handler function, allowing attackers to add or modify Object.prototype properties using a __proto__ payload.
Vulnerability
Analysis
Bodymen is a Node.js library for handling request bodies. Versions before 1.1.1 are vulnerable to prototype pollution. The handler function could be tricked into adding or modifying properties of Object.prototype by passing a __proto__ payload, as described in the advisory [1].
Exploitation
The vulnerability is exploited by supplying a specially crafted __proto__ property in the request body or parameters processed by the handler. This technique is a classic JavaScript prototype pollution attack, which can be performed without authentication if the application exposes the handler to user input [2]. The handler processes nested object properties, allowing an attacker to pollute the object prototype.
Impact
Successfully exploiting this vulnerability allows an attacker to inject arbitrary properties into the base JavaScript object prototype. This can lead to denial of service (via JavaScript exceptions) or, in more complex scenarios, remote code execution if the application's logic depends on the polluted properties [2].
Mitigation
The issue was fixed in commit 5d52e8c, which adds tests to ensure the handler is not vulnerable to prototype pollution [3]. Users should update to bodymen 1.1.1 or later. No workarounds are mentioned in the referenced sources.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bodymennpm | < 1.1.1 | 1.1.1 |
Affected products
2- Snyk/bodymenv5Range: All versions prior to version 1.1.1
Patches
15d52e8cf3604Fix prototype pollution vulnerability (#23)
3 files changed · +23 −2
src/index.js+8 −0 modified@@ -18,6 +18,14 @@ export const handlers = { * @param {Function} [fn] - Set the handler method. */ export function handler (type, name, fn) { + if ( + type === 'constructor' || + type === '__proto__' || + name === 'constructor' || + name === '__proto__' + ) { + return + } if (arguments.length > 2) { handlers[type][name] = fn }
test/index.js+15 −0 modified@@ -116,3 +116,18 @@ test('Bodymen middleware', (t) => { t.same(res.body, {links: [{icon: 'path to icon'}]}, 'should respond with correct object') }) }) + +test('Prototype pollution', (t) => { + const { toString } = {} + + bodymen.handler('__proto__', 'toString', 'JHU') + t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution') + + bodymen.handler('formatters', '__proto__', { toString: 'JHU' }) + t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution') + + bodymen.handler('validators', '__proto__', { toString: 'JHU' }) + t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution') + + t.end() +})
.travis.yml+0 −2 modified@@ -1,7 +1,5 @@ language: node_js node_js: - v6 - - v5 - - v4 after_script: - 'npm run coveralls'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8h84-8j4f-p97qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10792ghsaADVISORY
- github.com/diegohaz/bodymen/commit/5d52e8cf360410ee697afd90937e6042c3a8653bghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-BODYMEN-548897ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.