CVE-2022-37617
Description
Prototype pollution in browserify-shim's resolveShims function allows attackers to inject properties into Object.prototype via a crafted k variable, leading to denial of service or arbitrary property manipulation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in browserify-shim's resolveShims function allows attackers to inject properties into Object.prototype via a crafted `k` variable, leading to denial of service or arbitrary property manipulation.
Vulnerability
Overview
CVE-2022-37617 is a prototype pollution vulnerability found in the resolveShims function within resolve-shims.js of the browserify-shim npm package (version 3.8.15) [1][2][3][4]. The vulnerability occurs when processing user-controlled data through the k variable, which is used to set properties on objects without proper input validation, allowing an attacker to pollute the global Object.prototype [2][4].
Attack
Vector and Exploitation
An attacker can exploit this by crafting a malicious k value — typically a string like __proto__ or constructor.prototype — that, when processed by the resolveShims function, results in properties being set on the prototype chain [2][4]. The attack does not require authentication beyond the ability to supply configuration data processed by browserify-shim, which is commonly used as a Browserify transform to make non-CommonJS modules bundleable [1].
Impact
Successful exploitation allows the attacker to inject arbitrary properties into Object.prototype, affecting all objects in the runtime. This prototype pollution can lead to denial of service (via property collisions or runtime errors) or facilitate further attacks, such as bypassing security checks or altering application behavior [3][4].
Mitigation
The issue was addressed in a commit (97855e6) that prevents prototype manipulation by validating property assignments before applying them [2]. Users should update to a patched version (e.g., 3.8.16 or later) or apply the fix manually. There is no evidence of active exploitation in the wild, but the CVE is publicly known, and the repository has been notified [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
browserify-shimnpm | < 3.8.16 | 3.8.16 |
Affected products
2- thlorenz/browserify-shimdescription
Patches
197855e622b6dresolve-shims: prevent prototype manipulation (#246)
1 file changed · +5 −0
lib/resolve-shims.js+5 −0 modified@@ -123,6 +123,11 @@ function separateExposeGlobals(shims) { , exposeGlobals = {}; Object.keys(shims).forEach(function (k) { + // https://github.com/thlorenz/browserify-shim/issues/245 + if (k === '__proto__' || k === 'constructor') { + return; + } + var val = shims[k] , exp = val && val.exports;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-866w-wm4h-95c6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37617ghsaADVISORY
- github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.jsghsaWEB
- github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.jsghsaWEB
- github.com/thlorenz/browserify-shim/commit/97855e622b6dcd117c77e6583701962ff45e7338ghsaWEB
- github.com/thlorenz/browserify-shim/issues/245ghsaWEB
- github.com/thlorenz/browserify-shim/pull/246ghsaWEB
News mentions
0No linked articles in our index yet.