VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 17, 2022· Updated Sep 17, 2024

Prototype Pollution

CVE-2022-25352

Description

libnested before 1.5.2 vulnerable to Prototype Pollution via set function, due to incomplete fix for CVE-2020-28283.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

libnested before 1.5.2 vulnerable to Prototype Pollution via set function, due to incomplete fix for CVE-2020-28283.

Vulnerability

The libnested package prior to version 1.5.2 is vulnerable to Prototype Pollution via the set function in index.js. This vulnerability is a result of an incomplete fix for the previously disclosed CVE-2020-28283. An attacker can use crafted path arguments, such as ['__proto__', 'polluted'] or [['constructor', 'prototype'], 'polluted'], to pollute the object prototype [1][4].

Exploitation

An attacker needs the ability to call the set function with a user-controlled path value. No special network position or authentication is required if the application passes unsanitized input to the function. The attacker supplies a path like ['__proto__','polluted'] and a value, which then pollutes Object.prototype [4]. The original fix for CVE-2020-28283 was insufficient, as it did not block all possible pollution vectors.

Impact

Successful exploitation allows an attacker to inject arbitrary properties into the JavaScript Object.prototype. This can lead to denial of service via JavaScript exceptions, or potentially to remote code execution by tampering with application logic that inherits from the polluted prototype [2]. The pollution affects all objects in the application, enabling broad influence over subsequent operations.

Mitigation

Update to libnested version 1.5.2 or later, which includes a comprehensive fix that blocks prototype pollution via __proto__, constructor.prototype, and other similar paths [4]. No workaround other than updating is available. The package maintainer released the fix in commit c112986 [4].

References
  1. NVD - CVE-2022-25352
  2. Snyk Vulnerability Database | Snyk
  3. better fix for prototype pollution vulnerability · dominictarr/libnested@c112986

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
libnestednpm
< 1.5.21.5.2

Affected products

2

Patches

1
c1129865d75f

better fix for prototype pollution vulnerability

https://github.com/dominictarr/libnestedMichael WilliamsMar 7, 2022via ghsa
commit
2 files changed · +18 3
  • index.js+7 3 modified
    @@ -22,13 +22,17 @@ function isNonNegativeInteger (i) {
 function set (obj, path, value) {
   if(!obj) throw new Error('libnested.set: first arg must be an object')
   if(isBasic(path)) return obj[path] = value
-  for(var i = 0; i < path.length; i++)
+  for(var i = 0; i < path.length; i++) {
+    if (isPrototypePolluted(path[i]))
+      continue
+
     if(i === path.length - 1)
       obj[path[i]] = value
     else if(null == obj[path[i]])
       obj = (obj[path[i]] = isNonNegativeInteger(path[i+1]) ? [] : {})
-    else if (!(isPrototypePolluted(path[i])))
+    else
       obj = obj[path[i]]
+  }
   return value
 }
 
@@ -92,7 +96,7 @@ function clone (obj) {
 }
 
 function isPrototypePolluted(key) {
-  return ['__proto__', 'constructor', 'prototype'].includes(key)
+  return ['__proto__', 'constructor', 'prototype'].includes(key.toString())
 }
 
 exports.get = get
  • test.js+11 0 modified
    @@ -151,3 +151,14 @@ tape('clone does not leave an array reference', function (t) {
 
   t.end()
 })
+
+tape('prototype pollution', function (t) {
+  t.notEqual({}.polluted, 'yes')
+  R.set({}, ['__proto__','polluted'], 'yes');
+  t.notEqual({}.polluted, 'yes')
+  R.set({}, [['__proto__'], 'polluted'], 'yes')
+  t.notEqual({}.polluted, 'yes')
+  R.set({}, [['constructor', 'prototype'], 'polluted'], 'yes')
+  t.notEqual({}.polluted, 'yes')
+  t.end()
+})

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.