VYPR
← All advisories
High severityNVD Advisory· Published Jun 10, 2023· Updated Jan 6, 2025

CVE-2023-26132

CVE-2023-26132

Description

Prototype Pollution in dottie before 2.0.4 via set() function allows attackers to inject properties into Object.prototype.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype Pollution in dottie before 2.0.4 via set() function allows attackers to inject properties into Object.prototype.

The dottie JavaScript library before version 2.0.4 is vulnerable to Prototype Pollution due to insufficient input validation in the set() function and the internal current variable used to traverse nested paths [1][2]. The flaw occurs because the code does not properly sanitize path segments, allowing attackers to use special keys like __proto__ to pollute the base object's prototype [2]. The commit fixing the issue explicitly adds a guard against __proto__ as the first path segment and within transformed keys [2].

Exploitation requires the attacker to control the path argument passed to dottie.set(), which is common in applications that accept user input for setting nested object properties [3]. No authentication is needed if the vulnerable function is exposed without access controls. By crafting a path such as __proto__.maliciousKey, an attacker can inject a property onto Object.prototype, which is then inherited by all JavaScript objects in the runtime [3].

The impact includes potential denial of service via exception triggering, or more critically, remote code execution if the polluted property alters application logic to execute attacker-controlled code [3]. This is a classic Prototype Pollution vulnerability that can silently affect application behavior across the entire object graph.

Mitigation is straightforward: upgrade to dottie version 2.0.4 or later, which includes the preventative check for __proto__ [2]. The repository has since been archived, so users should consider migrating to maintained alternatives if further updates are needed [4]. No workarounds are officially documented, but applications that accept user-defined paths should always call Object.preventExtensions() on the target object before using dottie.set() [2].

References
  1. NVD - CVE-2023-26132
  2. rudimentary __proto__ guarding · mickhansen/dottie.js@7d3aee1
  3. Snyk Vulnerability Database | Snyk
  4. GitHub - mickhansen/dottie.js: Fast and safe nested object access and manipulation in JavaScript

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dottienpm
< 2.0.42.0.4

Affected products

2

Patches

1
7d3aee1c9c3c

rudimentary __proto__ guarding

https://github.com/mickhansen/dottie.jsMick HansenJun 8, 2023via ghsa
commit
4 files changed · +27 0
  • dottie.js+4 0 modified
    @@ -72,6 +72,7 @@
   // Set nested value
   Dottie.set = function(object, path, value, options) {
     var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length;
+    if (pieces[0] === '__proto__') return;
 
     if (typeof current !== 'object') {
         throw new Error('Parent is not an object.');
@@ -140,6 +141,9 @@
 
       if (key.indexOf(options.delimiter) !== -1) {
         pieces = key.split(options.delimiter);
+
+        if (pieces[0] === '__proto__') break;
+
         piecesLength = pieces.length;
         current = transformed;
  • README.md+3 0 modified
    @@ -32,6 +32,7 @@ dottie.get(values, ['some.dot.included', 'key']); // returns 'barfoo'
 *Note: lodash.get() also works fine for this* 
 
 ### Set value
+
 Sets nested value, creates nested structure if needed
 
 ```js
@@ -42,6 +43,8 @@ dottie.set(values, 'some.nested.object', someValue, {
 });
 ```
 
+If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution.
+
 ### Transform object
 Transform object from keys with dottie notation to nested objects
  • test/set.test.js+8 0 modified
    @@ -65,4 +65,12 @@ describe("dottie.set", function () {
     });
     expect(data.foo.bar.baz).to.equal('someValue');
   });
+
+  it('should not attempt to set __proto__', function () {
+    var data = {};
+
+    dottie.set(data, '__proto__.pollution', 'polluted');
+
+    expect(data.__proto__.pollution).to.be.undefined;
+  });
 });
\ No newline at end of file
  • test/transform.test.js+12 0 modified
    @@ -145,4 +145,16 @@ describe("dottie.transform", function () {
     expect(transformed.user.location.city).to.equal('Zanzibar City');
     expect(transformed.project.title).to.equal('dottie');
   });
+
+  it("should guard against prototype pollution", function () {
+    var values = {
+      'user.name': 'John Doe',
+      '__proto__.pollution': 'pollution'
+    };
+
+    var transformed = dottie.transform(values);
+    expect(transformed.user).not.to.equal(undefined);
+    expect(transformed.user.name).to.equal('John Doe');
+    expect(transformed.__proto__.pollution).to.be.undefined;
+  });
 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.