Prototype Pollution
Description
Prototype Pollution vulnerability in Dojo Toolkit's setObject function allows attackers to inject properties into Object.prototype, leading to potential RCE or DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution vulnerability in Dojo Toolkit's setObject function allows attackers to inject properties into Object.prototype, leading to potential RCE or DoS.
Vulnerability
The Dojo Toolkit (all versions) is vulnerable to Prototype Pollution via the setObject function in _base/lang.js [1][3]. This function allows setting properties on objects using a path string, and it does not properly sanitize the __proto__ key, enabling an attacker to pollute the base Object prototype [3]. Affected: all versions of the dojo package [1].
Exploitation
An attacker can exploit this by providing a crafted object with a __proto__ property to the setObject function. No authentication is required if the application processes user-supplied data through this function [3]. The attacker can inject arbitrary properties into Object.prototype, which then propagate to all JavaScript objects in the application [3].
Impact
Successful exploitation leads to Prototype Pollution, which can result in denial of service (via JavaScript exceptions) or remote code execution if the polluted properties affect application logic [3]. The attacker may also tamper with application behavior by overriding existing properties [3].
Mitigation
As of the available references, no patch has been released for the Dojo 1.x line [2]. The Dojo 1.x toolkit is in maintenance mode with no active development [2]. Users should consider migrating to Dojo 2+ or other modern frameworks. No workaround is provided in the references. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dojonpm | <= 1.16.4 | — |
Affected products
2- dojo/dojodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-m8gw-hjpr-rjv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23450ghsaADVISORY
- github.com/dojo/dojo/blob/4c39c14349408fc8274e19b399ffc660512ed07c/_base/lang.js%23L172ghsaWEB
- lists.debian.org/debian-lts-announce/2023/01/msg00030.htmlghsamailing-listWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2313036ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2313035ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBDOJO-2313034ghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2313033ghsaWEB
- snyk.io/vuln/SNYK-JS-DOJO-1535223ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
News mentions
0No linked articles in our index yet.