Prototype Pollution
Description
Prototype Pollution in jointjs <3.3.0 via util.setByPath allows arbitrary property injection on Object.prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution in jointjs <3.3.0 via util.setByPath allows arbitrary property injection on Object.prototype.
Vulnerability
The package jointjs before version 3.3.0 is vulnerable to Prototype Pollution through the util.setByPath function [1]. This function fails to properly sanitize the input path, allowing an attacker to set properties on the global Object prototype via __proto__, constructor, or prototype [3].
Exploitation
An attacker can exploit this by crafting a malicious path argument that includes __proto__, leading to pollution of Object.prototype [2]. No authentication is required if the application uses user-controlled input in the path parameter. The vulnerability is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) [1].
Impact
Successful exploitation can result in denial of service (e.g., triggering JavaScript exceptions) or remote code execution by altering the application's code path [3][4]. All JavaScript objects inherit from the polluted prototype, potentially affecting application behavior globally.
Mitigation
Users should upgrade to jointjs version 3.3.0 or later, where the issue is fixed [2]. There is no known workaround; updating is the recommended mitigation [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jointjsnpm | < 3.3.0 | 3.3.0 |
Affected products
2- jointjs/jointjsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-qwp9-52h8-xgg8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28480ghsaADVISORY
- github.com/clientIO/joint/blob/master/src/util/util.mjs%23L150ghsax_refsource_MISCWEB
- github.com/clientIO/joint/pull/1406ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1062037ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1062036ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-JOINTJS-1024444ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.