CVE-2022-37266
Description
Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A prototype pollution vulnerability exists in the extend function of babel.js in stealjs/steal 2.2.4, via the key variable.
Root
Cause
The vulnerability is a prototype pollution flaw found in the extend function within babel.js of the stealjs/steal package, version 2.2.4 [1][2]. The issue occurs through the key variable in that function, allowing an attacker to pollute the base object's prototype [1].
Exploitation
An attacker can exploit this by providing a crafted object that includes properties like __proto__ or constructor.prototype as the key in the extend function. The function does not properly validate or sanitize the key before assigning it, leading to the pollution of Object.prototype [2]. This exploitation requires the attacker to control the input passed to the vulnerable extend function.
Impact
Successful exploitation allows an attacker to add or modify properties on Object.prototype, affecting all objects in the application. This can lead to unexpected behavior, security bypasses, or further attacks such as denial of service or privilege escalation, depending on how the affected application uses the polluted properties.
Mitigation
As of the publication date, a fix has not been provided in the steal 2.2.4 release [1]. Users should monitor the steal repository for an update, apply a workaround if possible, or avoid using the vulnerable extend function with untrusted input.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
stealnpm | <= 2.3.0 | — |
Affected products
2- stealjs/stealdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vwhq-pm3r-fjm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37266ghsaADVISORY
- github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.jsghsax_refsource_MISCWEB
- github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.jsghsax_refsource_MISCWEB
- github.com/stealjs/steal/issues/1535ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.