Yomguithereal Baobab prototype pollution
Description
Baobab ≤2.6.0 is vulnerable to prototype pollution via deepMerge, allowing remote attackers to pollute Object.prototype.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Baobab ≤2.6.0 is vulnerable to prototype pollution via deepMerge, allowing remote attackers to pollute Object.prototype.
Vulnerability
A prototype pollution vulnerability exists in Yomguithereal Baobab versions up to and including 2.6.0. The issue occurs in an unknown functionality, triggered by manipulation that leads to improperly controlled modification of object prototype attributes (prototype pollution) [1][2].
Exploitation
The attack can be launched remotely. An exploit proof of concept demonstrates that by passing a crafted JSON payload with __proto__ keys to the deepMerge method, an attacker can pollute Object.prototype, as shown by changes to {}.polluted before and after the operation [4]. No authentication or special privileges are required for exploitation.
Impact
Successful prototype pollution allows an attacker to inject properties into all JavaScript objects in the application, potentially leading to arbitrary code execution, denial of service, or property injection attacks that affect the application's behavior and security [4].
Mitigation
Upgrading to Baobab version 2.6.1 resolves the issue. The fix was implemented in commit c56639532a923d9a1600fb863ec7551b188b5d19 and prevents modification of the object prototype [1][3]. Users are recommended to upgrade immediately [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baobabnpm | < 2.6.1 | 2.6.1 |
Affected products
2- Range: 2.0
Patches
1c56639532a92Security Fix for Prototype Pollution (#511)
2 files changed · +10 −1
src/helpers.js+2 −1 modified@@ -444,7 +444,8 @@ function merger(deep, ...objects) { for (k in t) { if (deep && type.object(t[k]) && - !(t[k] instanceof Monkey)) { + !(t[k] instanceof Monkey) && + !(k === '__proto__' || k === 'constructor' || k === 'prototype')) { o[k] = merger(true, o[k] || {}, t[k]); } else {
test/suites/helpers.ts+8 −0 modified@@ -94,6 +94,14 @@ describe('Helpers', function() { {one: {two: [3, 4]}, three: 3} ); }); + + it('merge should not pollute object prototype.', function() { + const data = JSON.parse('{"__proto__": {"polluted": true}}'); + + deepMerge({}, data); + + assert.equal(Object.keys(Object.prototype).includes('polluted'), false); + }); }); /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/Yomguithereal/baobab/commit/c56639532a923d9a1600fb863ec7551b188b5d19ghsapatchWEB
- github.com/Yomguithereal/baobab/releases/tag/2.6.1ghsapatchWEB
- github.com/advisories/GHSA-wvr2-q86m-6whpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4307ghsaADVISORY
- github.com/Yomguithereal/baobab/pull/511ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.