CVE-2019-10795
Description
undefsafe versions before 2.0.3 are vulnerable to Prototype Pollution, allowing attackers to tamper with Object.prototype via a __proto__ payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
undefsafe versions before 2.0.3 are vulnerable to Prototype Pollution, allowing attackers to tamper with Object.prototype via a __proto__ payload.
Vulnerability
Analysis
What is the vulnerability?
Undefsafe is a JavaScript library that simplifies accessing deep object properties without throwing errors when intermediate properties are undefined. Versions prior to 2.0.3 contain a prototype pollution vulnerability [2]. The a function (likely a typo for the library's main function) fails to properly validate property keys, allowing an attacker to inject a __proto__ payload that modifies Object.prototype [1].
How is it exploited?
Exploitation does not require authentication and can be triggered if an attacker can control the path argument passed to undefsafe. Since undefsafe is commonly used to traverse user-supplied objects, an attacker could craft a path like __proto__.polluted to add or overwrite properties on the global Object.prototype. This can be achieved via a crafted object passed to the library.
Impact
Successful prototype pollution can lead to unexpected application behavior, denial of service, or potentially arbitrary code execution if downstream code relies on the polluted properties. For example, an attacker could set Object.prototype.isAdmin to true and gain elevated privileges [1].
Mitigation
The vulnerability was patched in version 2.0.3. The fix (commit f272681) adds a check that returns undefined if the requested property key does not exist on the current object, thereby preventing prototype chain traversal [4]. Users should upgrade to undefsafe 2.0.3 or later immediately [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
undefsafenpm | < 2.0.3 | 2.0.3 |
Affected products
2- Snyk/undefsafev5Range: All versions prior to version 2.0.3
Patches
1f272681b3a50fix: prevent changes in prototype chain
2 files changed · +15 −0
lib/undefsafe.js+4 −0 modified@@ -99,6 +99,10 @@ function undefsafe(obj, path, value, __res) { return res; } + if (Object.getOwnPropertyNames(obj).indexOf(key) == -1) { + return undefined; + } + obj = obj[key]; if (obj === undefined || obj === null) { break;
test/misc.test.js+11 −0 added@@ -0,0 +1,11 @@ +var test = require('tap').test; +var undefsafe = require('../lib/undefsafe'); + +test('cannot modify prototype chain', function(t) { + const pre = {}.__proto__.toString; + var payload = '__proto__.toString'; + undefsafe({ a: 'b' }, payload, 'JHU'); + t.notEqual({}.toString, 'JHU'); + ({}.__proto__.toString = pre); // restore + t.end(); +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-332q-7ff2-57h2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10795ghsaADVISORY
- github.com/remy/undefsafe/commit/f272681b3a50e2c4cbb6a8533795e1453382c822ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.