Prototype Pollution
Description
JointJS before 3.4.2 has a type confusion vulnerability in setByPath that allows prototype pollution, bypassing CVE-2020-28480.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JointJS before 3.4.2 has a type confusion vulnerability in setByPath that allows prototype pollution, bypassing CVE-2020-28480.
Vulnerability
The package jointjs before version 3.4.2 contains a type confusion vulnerability in the setByPath function. When user-provided keys in the path parameter are arrays, this flaw can be exploited to bypass the fix for CVE-2020-28480, leading to prototype pollution [1][3].
Exploitation
An attacker needs the ability to supply crafted path arguments to setByPath. By providing array keys that manipulate the __proto__ or prototype properties, the attacker can alter the object prototype chain without triggering the previous security checks [3].
Impact
Successful exploitation allows attackers to pollute the Object prototype, potentially leading to denial of service, property injection, or, in severe cases, remote code execution depending on how the polluted objects are used in the application [3].
Mitigation
Update to version 3.4.2 or later, which was released on September 21, 2021 [1]. Users unable to upgrade should review and sanitize any user-supplied path parameters passed to setByPath.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jointjsnpm | < 3.4.2 | 3.4.2 |
Affected products
2- jointjs/jointjsdescription
Patches
1e5bf89efef6dutil.setByPath() - prevent prototype pollution (#1514)
2 files changed · +8 −1
src/util/util.mjs+3 −0 modified@@ -140,6 +140,9 @@ export const getByPath = function(obj, path, delimiter) { const isGetSafe = function(obj, key) { // Prevent prototype pollution // https://snyk.io/vuln/SNYK-JS-JSON8MERGEPATCH-1038399 + if (typeof key !== 'string' && typeof key !== 'number') { + key = String(key); + } if (key === 'constructor' && typeof obj[key] === 'function') { return false; }
test/jointjs/core/util.js+5 −1 modified@@ -336,7 +336,11 @@ QUnit.module('util', function(hooks) { assert.deepEqual(joint.util.setByPath({ object: {}}, 'object/1', 'property'), { object: { '1': 'property' }}, 'define property'); }); - ['__proto__/polluted', 'constructor/prototype/polluted'].forEach(function(path) { + [ + '__proto__/polluted', + 'constructor/prototype/polluted', + [['__proto__'], 'polluted'] + ].forEach(function(path) { QUnit.test('setting "' + path + '" does not pollute prototype' , function(assert) { var obj = {}; assert.notOk(obj.polluted);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-f3pp-32qc-36w4ghsaADVISORY
- github.com/clientIO/joint/commit/e5bf89efef6d5ea572d66870ffd86560de7830a8ghsax_refsource_MISCWEB
- github.com/clientIO/joint/pull/1514ghsax_refsource_MISCWEB
- github.com/clientIO/joint/releases/tag/v3.4.2ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1655817ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1655816ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-JOINTJS-1579578ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.