CVE-2021-26505
Description
Prototype pollution in hello.js v1.18.6 via hello.utils.extend allows remote attackers to execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in hello.js v1.18.6 via hello.utils.extend allows remote attackers to execute arbitrary code.
Vulnerability
Overview The hello.utils.extend function in MrSwitch hello.js version 1.18.6 is vulnerable to prototype pollution [1][3]. This function recursively merges properties from source objects into a target object but fails to filter dangerous keys such as __proto__ or constructor. An attacker can inject malicious properties into the global Object prototype, which can lead to arbitrary code execution [2][3].
Exploitation
To exploit this vulnerability, an attacker must supply a crafted object to the hello.utils.extend function, either directly or through user-supplied input that is later merged by the library [1]. The attack requires no authentication if the function is exposed client-side in a web application. The recursive merge logic does not check for prototype chain properties, allowing the attacker to pollute Object.prototype with injected methods or properties [3].
Impact
A successful prototype pollution attack can enable remote code execution, cross-site scripting (XSS), or other client-side attacks [3]. By polluting the prototype, the attacker can override default behavior of objects used throughout the application, potentially leading to arbitrary code execution in the browser context [2].
Mitigation
The issue has been fixed in the hello.js repository by adding a check that skips keys __proto__ and constructor during the merge [4]. Users should upgrade to a patched version (v1.18.7 or later) or apply the fix manually by using the updated extend function [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hellojsnpm | < 1.18.8 | 1.18.8 |
Affected products
2- MrSwitch/hello.jsdescription
Patches
17ab50aeff2d4fix: prototype pollution, #634
1 file changed · +5 −0
src/hello.js+5 −0 modified@@ -26,6 +26,11 @@ hello.utils = { } else if (r && (r instanceof Object || typeof r === 'object') && a && (a instanceof Object || typeof a === 'object') && r !== a) { for (var x in a) { + // Prevent prototype pollution + if (x === '__proto__' || x === 'constructor') { + continue; + } + r[x] = hello.utils.extend(r[x], a[x]); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.