Prototype Pollution
Description
A prototype pollution vulnerability in litespeed.js (before 0.3.12) and Appwrite server-ce (0.12.0–0.12.2, before 0.11.1) allows attackers to modify object prototypes via unvalidated query string keys.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A prototype pollution vulnerability in litespeed.js (before 0.3.12) and Appwrite server-ce (0.12.0–0.12.2, before 0.11.1) allows attackers to modify object prototypes via unvalidated query string keys.
Vulnerability
The vulnerability resides in the getJsonFromUrl function of the litespeed.js package (versions before 0.3.12) and the appwrite/server-ce package (versions 0.12.0 through 0.12.2, and versions before 0.11.1). When parsing a query string, the function sets a key in the result object without sanitizing the key name, enabling an attacker to inject keys that modify an object's prototype. This is a classic Prototype Pollution vulnerability [1][2][3].
Exploitation
An attacker can craft a malicious URL containing a query parameter like __proto__ or constructor.prototype along with a value. When getJsonFromUrl processes this query string, the unvalidated key directly sets properties on Object.prototype. The attacker only needs to induce a user or server to parse the malicious URL—no authentication or special privileges are required beyond being able to supply the URL to the affected code [1][2][3].
Impact
Successful exploitation allows the attacker to pollute the global Object.prototype, thereby injecting properties that are inherited by all objects in the JavaScript runtime. This can lead to unexpected behavior, denial of service, or potentially arbitrary code execution depending on how the polluted properties are used by the application. The scope affects both client-side and server-side contexts where the vulnerable packages are used [1][2][3].
Mitigation
- For
litespeed.js: upgrade to version0.3.12or later [3]. - For
appwrite/server-ce: upgrade to version0.11.1(for users on 0.11.x) or version0.12.2(for users on 0.12.x) [2][4]. - There are no known workarounds other than upgrading to the patched versions. The project maintainers have issued security releases [2][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
litespeed.jsnpm | < 0.3.12 | 0.3.12 |
appwrite/server-cePackagist | >= 0.12.0, < 0.12.2 | 0.12.2 |
appwrite/server-cePackagist | < 0.11.1 | 0.11.1 |
Affected products
3- litespeed.js/litespeed.jsdescription
- ghsa-coords2 versions
>= 0.12.0, < 0.12.2+ 1 more
- (no CPE)range: >= 0.12.0, < 0.12.2
- (no CPE)range: < 0.3.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-v9p9-535w-4285ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23682ghsaADVISORY
- github.com/appwrite/appwrite/pull/2778ghsax_refsource_MISCWEB
- github.com/appwrite/appwrite/releases/tag/0.11.1ghsax_refsource_MISCWEB
- github.com/appwrite/appwrite/releases/tag/0.12.2ghsax_refsource_MISCWEB
- github.com/litespeed-js/litespeed.js/pull/18ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-LITESPEEDJS-2359250ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-PHP-APPWRITESERVERCE-2401820ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.