High severityNVD Advisory· Published Apr 15, 2022· Updated Sep 17, 2024

Prototype Pollution

CVE-2022-24279

Description

madlib-object-utils before 0.1.8 allows prototype pollution via the setValue method due to incomplete fix of CVE-2020-7701, enabling attackers to inject properties into Object.prototype.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

madlib-object-utils before 0.1.8 allows prototype pollution via the setValue method due to incomplete fix of CVE-2020-7701, enabling attackers to inject properties into Object.prototype.

Vulnerability

The package madlib-object-utils (versions before 0.1.8) is vulnerable to prototype pollution via the setValue method. The method attempts to block access to __proto__ and constructor keys, but the fix is incomplete because it does not check if the target object actually owns the property when setting nested values, allowing an attacker to pollute Object.prototype [1][2][3].

Exploitation

An attacker can call setValue with a path like __proto__.polluted and a value, which merges the prototype into the object's prototype chain. No special privileges are required; only the ability to pass controlled input to this method. The attack exploits the incomplete fix implemented after CVE-2020-7701, which only blocks direct access to __proto__ but fails when assigning nested properties along the path [3].

Impact

Successful prototype pollution allows the attacker to inject properties into all objects in the runtime, potentially leading to denial of service, property tampering, or remote code execution depending on how the polluted properties are used by the application [2]. The scope is global, affecting all object instances.

Mitigation

The vulnerability is fixed in version 0.1.8 of madlib-object-utils, released after the commit that adds a hasOwnProperty check before setting values on the object [3]. Users should upgrade to version 0.1.8 or later. If upgrading is not possible, avoid using setValue with user-provided paths or sanitize inputs to prevent __proto__ and constructor keys. The repository has been archived [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
madlib-object-utilsnpm	< 0.1.8	0.1.8

Affected products

madlib-object-utils/madlib-object-utilsdescription
ghsa-coords
pkg:npm/madlib-object-utils
Range: < 0.1.8

Patches

8d5d54c11c8f

fix(set-value): prototype pollution

https://github.com/Qwerios/madlib-object-utilsMark DoeswijkMar 7, 2022via ghsa

commit

3 files changed · +9 −23

lib/utils.js+3 −12 modified

@@ -30,12 +30,6 @@
       aPath = ("" + path).split(".");
       value = object;
       key = aPath.shift();
-      if (key === 'constructor' && typeof object[key] === 'function') {
-        return;
-      }
-      if (key === '__proto__') {
-        return;
-      }
       if (aPath.length === 0) {
         value = value[key.replace("%2E", ".")];
         if (value == null) {
@@ -64,17 +58,14 @@
       aPath = ("" + path).split(".");
       value = object;
       key = aPath.shift();
-      if (key === 'constructor' && typeof object[key] === 'function') {
-        return object;
-      }
-      if (key === '__proto__') {
-        return object;
-      }
       while (key) {
         key = key.replace("%2E", ".");
         if (value[key] == null) {
           value[key] = {};
         }
+        if (!value.hasOwnProperty(key)) {
+          return;
+        }
         if (aPath.length === 0) {
           if (defaultValue != null) {
             value[key] = defaultValue;

src/utils.coffee+3 −10 modified

@@ -31,11 +31,6 @@
         value = object
         key   = aPath.shift()
 
-        if key is 'constructor' and typeof object[key] is 'function'
-            return
-        if key is '__proto__'
-            return
-
         if aPath.length is 0
             # This is only a 1 deep check
             #
@@ -60,11 +55,6 @@
         value = object
         key   = aPath.shift()
 
-        if key is 'constructor' and typeof object[key] is 'function'
-            return object
-        if key is '__proto__'
-            return object
-
         while key
             key = key.replace( "%2E", "." )
 
@@ -73,6 +63,9 @@
             if not value[ key ]?
                 value[ key ] = {}
 
+            if not value.hasOwnProperty(key)
+                return
+
             if aPath.length is 0
                 # Assign the default value to the newly created key if supplied
                 #

test/prototype-pollution.coffee+3 −1 modified

@@ -5,8 +5,10 @@ describe( "Prototype pollution", () ->
     describe( "#setValue()", () ->
         it( "Should not pollute value", () ->
             objectUtils.setValue( '__proto__.polluted', {}, true )
-
             chai.expect( global.polluted ).to.eql( undefined )
+
+            objectUtils.setValue('this.constructor.prototype.polluted', {}, 'yes');
+            chai.expect( {}.polluted ).to.eql( undefined )
         )
     )
 )

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-pfv6-prqm-85q8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-24279ghsaADVISORY
github.com/Qwerios/madlib-object-utils/commit/8d5d54c11c8fb9a7980a99778329acd13e3ef98fghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-2388572ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000