CVE-2023-26135
Description
All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in the flatnest/nest.js file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of the flatnest npm package are vulnerable to Prototype Pollution via improper handling of __proto__ in the nest() function.
Vulnerability
Analysis
CVE-2023-26135 describes a Prototype Pollution vulnerability in the flatnest npm package, affecting all versions. The flaw resides in the nest() function within flatnest/nest.js [1]. The function is designed to reconstruct nested JavaScript objects from flattened key-value pairs, but it does not properly sanitize or validate keys that refer to the object prototype (e.g., __proto__, constructor). When an attacker provides a flat input with a key like __proto__.polluted, the nest() function will recursively assign values along that path, ultimately polluting Object.prototype [2].
Exploitation
Method
An attacker can exploit this vulnerability by supplying crafted input to any application that uses the flatnest library to nest user-controlled flat objects. Since the attack relies on the ability to set arbitrary keys in the flat input, no special network position is required beyond the ability to influence data passed to nest(). The input must contain a key path that traverses to __proto__ (or a similar prototype property). Because the nest() function processes string-based path segments without filtering out reserved prototype keys, the pollution succeeds [3][4].
Impact
Successful exploitation leads to Prototype Pollution, which can have severe consequences. By injecting properties into Object.prototype, an attacker can alter the default behavior of all objects in the JavaScript runtime. This can cause denial of service via unexpected exceptions, or more critically, modify application logic to bypass security controls thereby enabling privilege escalation or remote code execution [2]. The exact impact depends on how the polluted prototype properties are used by the target application.
Mitigation
Status
As of the publication date, the flatnest package has not released a patched version. Users are advised to avoid using the package or implement strict input validation to strip any key paths that reference prototype properties. The vulnerability has been cataloged in the Snyk database and the NVD, but no patch is available at this time [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flatnestnpm | <= 1.0.0 | — |
Affected products
3- flatnest/flatnestdescription
- Range: all versions
Patches
127d569baf9d9Prevent prototype pollution reported in issue #4
5 files changed · +20 −0
flatten.js+2 −0 modified@@ -1,3 +1,5 @@ +'use strict' + module.exports = flatten function flatten(obj) {
nest.js+4 −0 modified@@ -1,3 +1,5 @@ +'use strict' + module.exports = nest var seek = require("./seek") @@ -37,6 +39,8 @@ function insert(target, path, value) { var len = pathBits.length for (var i = 0; i < len; i += 2) { var key = pathBits[i] + if (key === "__proto__") continue + if (key === "constructor" && typeof target[key] == "function") continue var type = pathBits[i + 1] if (type == null && key) parent[key] = value
seek.js+2 −0 modified@@ -1,3 +1,5 @@ +'use strict' + module.exports = seek var nestedRe = /(\.|\[)/
test/flatten.js+2 −0 modified@@ -1,3 +1,5 @@ +'use strict' + var test = require("tape").test var flatten = require("../flatten")
test/nest.js+10 −0 modified@@ -1,3 +1,5 @@ +'use strict' + var test = require("tape").test var nest = require("../nest") @@ -139,3 +141,11 @@ test("nest empty", function (t) { t.deepEquals(nest(struct), expect, "empty object is still empty") t.end() }) + +test("no prototype pollution", function (t) { + nest({'constructor.prototype.fail': true}) + nest({'__proto__.bad': true}) + t.false({}.fail, "constructor.prototype not polluted") + t.false({}.bad, "__proto__ not polluted") + t.end() +})
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-7px2-3c2p-q4v4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26135ghsaADVISORY
- github.com/brycebaril/node-flatnest/blob/b7d97ec64a04632378db87fcf3577bd51ac3ee39/nest.jsghsaWEB
- github.com/brycebaril/node-flatnest/blob/b7d97ec64a04632378db87fcf3577bd51ac3ee39/nest.js%23L43ghsaWEB
- github.com/brycebaril/node-flatnest/commit/27d569baf9d9d25677640edeaf2d13af165868d6ghsaWEB
- github.com/brycebaril/node-flatnest/issues/4ghsaWEB
- security.snyk.io/vuln/SNYK-JS-FLATNEST-3185149ghsaWEB
News mentions
0No linked articles in our index yet.