hughsk flat index.js unflatten prototype pollution
Description
A critical prototype pollution vulnerability in hughsk/flat's unflatten function allows remote attackers to modify Object.prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical prototype pollution vulnerability in hughsk/flat's unflatten function allows remote attackers to modify Object.prototype.
Vulnerability
Overview
The unflatten function in the index.js file of the hughsk/flat npm package (versions up to and including 5.0.0) is vulnerable to prototype pollution [1]. This occurs because the function does not properly sanitize user-controlled input, allowing an attacker to inject properties that modify Object.prototype [1]. Prototype pollution is a type of security flaw where an attacker can manipulate the prototype of a base object, potentially affecting all objects in a JavaScript runtime environment.
Attack
Vector and Exploitation
The vulnerability can be triggered remotely, meaning an attacker does not need local access to the system [1]. Exploitation typically involves crafting a nested object payload that, when processed by unflatten, sets a property such as __proto__.polluted to a desired value. The attack has a low attack complexity and does not require high privileges or user interaction [1]. Applications that accept untrusted input and pass it to the vulnerable unflatten function are at risk.
Impact
Successful exploitation allows an attacker to override existing properties or add new properties to Object.prototype [1]. This can lead to a variety of security consequences, including modification of application behavior, bypass of security checks, denial of service, or in some cases, arbitrary code execution depending on how the application uses the affected objects. The vulnerability is classified as critical due to the potentially severe impact on the entire application's object model.
Mitigation
The vulnerability has been addressed in version 5.0.1 of the flat package [1]. The fix was implemented via commit 20ef0ef55dfa028caddaedbcb33efbdb04d18e13 [1]. Users are strongly recommended to upgrade to version 5.0.1 or later. For those unable to upgrade, a workaround involves sanitizing input before passing it to the unflatten function, such as by filtering out keys that begin with __proto__, constructor, or prototype. The vulnerability is tracked as VDB-216777.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flatnpm | < 1.6.2 | 1.6.2 |
flatnpm | >= 2.0.0, < 2.0.2 | 2.0.2 |
flatnpm | >= 3.0.0, < 3.0.1 | 3.0.1 |
flatnpm | >= 4.0.0, < 4.0.2 | 4.0.2 |
flatnpm | >= 5.0.0, < 5.0.1 | 5.0.1 |
Affected products
2- hughsk/flatv5Range: 5.0
Patches
21 file changed · +1 −1
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "flat", - "version": "5.0.0", + "version": "5.0.1", "main": "index.js", "bin": "cli.js", "scripts": {
20ef0ef55dfaFix prototype pollution on unflatten
1 file changed · +4 −0
index.js+4 −0 modified@@ -116,6 +116,10 @@ function unflatten (target, opts) { let recipient = result while (key2 !== undefined) { + if (key1 === '__proto__') { + return + } + const type = Object.prototype.toString.call(recipient[key1]) const isobject = ( type === '[object Object]' ||
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13ghsapatchWEB
- github.com/hughsk/flat/releases/tag/5.0.1ghsapatchWEB
- github.com/advisories/GHSA-2j2x-2gpw-g8fmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-36632ghsaADVISORY
- github.com/hughsk/flat/compare/3.0.0...3.0.1ghsaWEB
- github.com/hughsk/flat/compare/4.1.0...4.1.1ghsaWEB
- github.com/hughsk/flat/compare/v1.6.0...1.6.2ghsaWEB
- github.com/hughsk/flat/compare/v2.0.1...2.0.2ghsaWEB
- github.com/hughsk/flat/issues/105ghsaissue-trackingWEB
- github.com/hughsk/flat/pull/106ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.