CVE-2023-26113
Description
Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution in collection.js < 6.8.1 via its extend function allows attackers to pollute Object.prototype, leading to denial of service or remote code execution.
The vulnerability affects collection.js versions before 6.8.1, a JavaScript library for working with collections. The flaw exists in the extend function located in Collection.js/dist/node/iterators/extend.js. This function is used for merging or extending objects. Due to improper handling of recursive property definitions, it allows an attacker to inject properties into the prototype chain via __proto__ or similar attributes, a classic Prototype Pollution pattern [1][2].
Exploitation
An attacker can exploit this by providing a crafted source object that includes a property like __proto__ (or constructor/prototype) with nested properties. When the extend function recursively merges properties, it traverses into the prototype of the base object, thereby polluting Object.prototype. This requires the attacker to control the input to the extend function (e.g., through user-supplied JSON data that is later merged). No additional authentication is needed if the application processes attacker-controlled data through this function [1][2].
Impact
Successful Prototype Pollution can lead to: - Denial of Service (DoS): By polluting prototypes with properties that cause exceptions during object operations. - Remote Code Execution (RCE): By tampering with property values that affect application logic, potentially altering code paths to execute arbitrary code. This typically requires chaining with other application-specific logic that reads properties from objects (e.g., options or config) [2].
Mitigation
The vulnerability is patched in version 6.8.1 of collection.js, released on 2023-01-30 [3]. Users should update to this version or later. No known workarounds have been documented, but sanitizing user input to prevent __proto__ entries before calling extend could reduce risk in legacy applications.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
collection.jsnpm | < 6.8.1 | 6.8.1 |
Affected products
3- collection.js/collection.jsdescription
- Range: <6.8.1
Patches
1d3d937645f62fix: fixed prototype pollution issue
1 file changed · +4 −0
src/iterators/extend.js+4 −0 modified@@ -218,6 +218,10 @@ Collection.prototype.extend = function (deepOrParams, args) { isSimple = simpleType[getType(arg)]; promise = promise.then(() => $C(arg).forEach((el, key) => { + if (key === '__proto__') { + return; + } + if (dataIsSimple && isSimple && (withDescriptor || p.withAccessors && (el.get || el.set))) { if (p.traits && key in data !== (p.traits === -1)) { return;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-47pj-q2vm-46xcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26113ghsaADVISORY
- github.com/kobezzza/Collection/blob/be32c48e68f49d3be48a58e929d1ab8ff1d2d19c/dist/node/iterators/extend.js%23L324ghsaWEB
- github.com/kobezzza/Collection/commit/d3d937645f62f37d3115d6aa90bb510fd856e6a2ghsaWEB
- github.com/kobezzza/Collection/issues/27ghsaWEB
- github.com/kobezzza/Collection/releases/tag/v6.8.1ghsaWEB
- security.snyk.io/vuln/SNYK-JS-COLLECTIONJS-3185148ghsaWEB
News mentions
0No linked articles in our index yet.