Prototype Pollution
Description
Open-graph package before 0.2.6 allows prototype pollution via the parse function using __proto__ or constructor payloads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open-graph package before 0.2.6 allows prototype pollution via the parse function using __proto__ or constructor payloads.
Vulnerability
The open-graph package before version 0.2.6 is vulnerable to prototype pollution. The parse function fails to sanitize object keys, allowing an attacker to inject or modify properties of Object.prototype by using payloads such as __proto__ or constructor [1][2]. This affects all versions prior to the fix.
Exploitation
An attacker can exploit this vulnerability by supplying a crafted URL or HTML content containing __proto__ or constructor keys. When the parse function processes such input, it traverses and assigns values to object paths without checking for blacklisted keys, leading to prototype pollution [1]. No authentication is required if the application uses the library to parse untrusted sources.
Impact
Successful exploitation allows the attacker to pollute Object.prototype, potentially altering the behavior of all objects in the runtime. This can result in property injection, denial of service, or arbitrary code execution depending on how the polluted properties are used by the application [1].
Mitigation
The vulnerability is fixed in version 0.2.6. Users should upgrade to this version or later. The fix adds a blacklist of keys (__proto__, constructor, prototype) that are skipped during parsing [3]. No workaround is available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
open-graphnpm | < 0.2.6 | 0.2.6 |
Affected products
2- open-graph/open-graphdescription
Patches
1a0cef507a90aPatch: Filter out blacklisted keys in og property name
1 file changed · +7 −0
index.js+7 −0 modified@@ -10,6 +10,11 @@ var shorthandProperties = { "audio": "audio:url" } +var keyBlacklist = [ + '__proto__', + 'constructor', + 'prototype' +] exports = module.exports = function(url, cb, options){ var userAgent = (options || {}).userAgent || 'NodeOpenGraphCrawler (https://github.com/samholmes/node-open-graph)' @@ -122,6 +127,8 @@ exports.parse = function($, options){ while (keys.length > 1) { key = keys.shift(); + if (keyBlacklist.includes(key)) continue + if (Array.isArray(ptr[key])) { // the last index of ptr[key] should become // the object we are examining.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-g452-6rfc-vrvxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23419ghsaADVISORY
- github.com/samholmes/node-open-graph/commit/a0cef507a90adaac7dbbe9c404f09a50bdefb348ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-OPENGRAPH-1536747ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.