High severityNVD Advisory· Published May 1, 2022· Updated Sep 16, 2024

Prototype Pollution

CVE-2022-21189

Description

The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dexie.js's setByKeyPath function fails to sanitize prototype keys like __proto__, enabling prototype pollution in versions before 3.2.2 and 4.0.0-alpha.3.

Vulnerability

The Dexie.js library (versions before 3.2.2 and from 4.0.0-alpha.1 before 4.0.0-alpha.3) contains a prototype pollution vulnerability in the Dexie.setByKeyPath(obj, keyPath, value) function [1][4]. This function does not properly validate or block keys such as __proto__, constructor, or prototype, allowing an attacker to inject properties into the base Object.prototype [1]. The vulnerability can be triggered when untrusted user input is used as a key path, for example during collection modifications [1].

Exploitation

An attacker can exploit this by supplying a crafted key path like "__proto__.polluted" to the setByKeyPath function, which will then set a property on Object.prototype [1][4]. This requires the attacker to control the keyPath parameter passed to the vulnerable function, typically through user-supplied data that is not sanitized before being used in database operations [4]. No authentication is needed if the vulnerable code is exposed to client-side or server-side input; however, the specific attack vector depends on how the application uses Dexie.js.

Impact

Successful exploitation leads to prototype pollution, where an attacker can add or modify properties on Object.prototype [1][3]. This can result in unexpected behavior across the application, potential denial of service through JavaScript exceptions, or, in more severe cases, remote code execution if the polluted properties affect control flow or security checks [3][4]. The impact is limited by how the affected application uses the polluted object properties.

Mitigation

Users should upgrade to Dexie.js version 3.2.2 or later (for the 3.x line) or version 4.0.0-alpha.3 or later (for the 4.x line) [1][4]. There is no known workaround that fully mitigates the vulnerability without patching. The fix ensures that setByKeyPath properly blocks prototype-related keys. As of the publication date (2022-05-01), no KEV listing has been reported [1].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dexienpm	< 3.2.2	3.2.2
dexienpm	>= 4.0.0-alpha.1, < 4.0.0-alpha.3	4.0.0-alpha.3

Affected products

dexie/dexiedescription
dexie/dexiellm-create
Range: <3.2.2, >=4.0.0-alpha.1 <4.0.0-alpha.3
ghsa-coords
pkg:npm/dexie
Range: < 3.2.2

Patches

1d655a69b9f2

Prohibit prototype pollution

https://github.com/dexie/Dexie.jsdfahlanderApr 27, 2022via ghsa

commit

1 file changed · +1 −1

src/functions/utils.ts+1 −1 modified

@@ -151,7 +151,7 @@ export function setByKeyPath(obj, keyPath, value) {
                 } else obj[currentKeyPath] = value;
             else {
                 var innerObj = obj[currentKeyPath];
-                if (!innerObj) innerObj = (obj[currentKeyPath] = {});
+                if (!innerObj || !hasOwn(obj, currentKeyPath)) innerObj = (obj[currentKeyPath] = {});
                 setByKeyPath(innerObj, remainingKeyPath, value);
             }
         } else {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3xgx-r9j4-qw9wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-21189ghsaADVISORY
github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164ghsax_refsource_MISCWEB
github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689bghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-DEXIE-2607042ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000