Prototype Pollution in fabiocaccamo/utils.js
Description
The utils.js JavaScript library before commit 102efaf is vulnerable to prototype pollution via dot-notation path assignment, allowing attackers to modify Object.prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The utils.js JavaScript library before commit 102efaf is vulnerable to prototype pollution via dot-notation path assignment, allowing attackers to modify Object.prototype.
Vulnerability
The utils.js library (zero-dependency vanilla JavaScript utilities) before commit 102efaf (December 2021) contains a prototype pollution vulnerability in its object path assignment functionality. It allows setting properties using dot-notation paths (e.g., f(o, '__proto__.polluted', true)) without proper validation, enabling modification of Object.prototype. Affected versions include all releases prior to this fix [1][2][3].
Exploitation
An attacker can supply a crafted input that uses __proto__ as a path component when calling functions that assign values via dot-notation paths. No authentication is required; the exploit can be triggered if an application passes user-controlled data to the affected functions. The vulnerability does not require user interaction beyond the application processing the crafted data [3][4].
Impact
Successful exploitation pollutes the global Object.prototype, affecting all objects in the runtime. This can lead to property injection, denial of service, or arbitrary code execution depending on how the application handles object properties. The attack achieves prototype pollution, a compromise of integrity and availability [2][3].
Mitigation
The fix was committed in commit 102efaf (see [3]) and is included in releases after that date. Users should update to the latest version of the library. No official CVE was listed in KEV. If update is not possible, avoid passing untrusted data to functions that perform deep object assignment by path. The vulnerability was reported via huntr.dev [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@fabiocaccamo/utils.jsnpm | < 0.17.2 | 0.17.2 |
Affected products
2- fabiocaccamo/fabiocaccamo/utils.jsv5Range: unspecified
Patches
1102efafb291cFixed prototype pollution. #6
2 files changed · +8 −0
src/utils/ObjectUtil.js+3 −0 modified@@ -217,6 +217,9 @@ ObjectUtil = { var cursor = obj; for (var i = 0, j = keys.length; i < j; i++) { key = keys[i]; + if (key === '__proto__') { + break; + } if (!TypeUtil.isObject(cursor[key])) { cursor[key] = {}; }
test/test_object.js+5 −0 modified@@ -304,6 +304,11 @@ describe('object', function() { f(o, 'e.f.g', 'ok 2'); test.assertEqual(o['e']['f']['g'], 'ok 2'); }); + it('test prototype pollution', function() { + f(o, '__proto__.polluted', true); + test.assertUndefined(o['polluted']); + test.assertUndefined({}.polluted); + }); }); describe('length', function() { var f = obj.length;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-3xph-cp8f-2229ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3815ghsaADVISORY
- github.com/fabiocaccamo/utils.js/commit/102efafb291ce1916985514440d3bf8a6826890aghsax_refsource_MISCWEB
- huntr.dev/bounties/20f48c63-f078-4173-bcac-a9f34885f2c0ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.