CVE-2023-26139
Description
Prototype Pollution in underscore-keypath allows attackers to pollute Object.prototype via the setProperty() function using __proto__ arguments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution in underscore-keypath allows attackers to pollute Object.prototype via the setProperty() function using __proto__ arguments.
Vulnerability
Overview
The vulnerability is a Prototype Pollution issue in the underscore-keypath JavaScript library, affecting versions from 0.0.11 onwards [1]. The flaw resides in the setProperty() function, which is used internally by setValueForKeyPath(). Due to insufficient input sanitization, an attacker can pass a specially crafted name argument such as __proto__, leading to modification of the object's prototype [2].
Exploitation
To exploit this, an attacker must be able to control the key path provided to setValueForKeyPath() [2]. This can occur if the library is used to parse user-supplied input without validation. For example, passing ['__proto__', 'polluted'] as the key path would pollute Object.prototype [2]. The attack does not require authentication if the function is exposed to untrusted input.
Impact
Successful exploitation allows an attacker to inject properties into Object.prototype, which are then inherited by all JavaScript objects in the application [3]. This can lead to denial of service by causing unexpected behavior or exceptions, and in some cases, it may be chained to achieve remote code execution if the polluted properties affect application logic [3].
Mitigation
As of the latest available information, there is no patch for this vulnerability, and the library appears unmaintained [4]. Users should avoid using the library or ensure that the setValueForKeyPath() function is not called with untrusted input. Alternatively, consider using a different library for key-path access. The vulnerability has been disclosed publicly [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
underscore-keypathnpm | >= 0.0.11, <= 0.9.3 | — |
Affected products
2- underscore-keypath/underscore-keypathdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in setValueForKeyPath() and setProperty() allows the key name "__proto__" to be used as a property key, leading to prototype pollution."
Attack vector
An attacker can pollute the Object prototype by passing a key path containing `__proto__` as the `name` argument to `setValueForKeyPath()` [ref_id=1]. For example, calling `underscore.setValueForKeyPath({}, "__proto__.prop", "polluted")` assigns `"polluted"` to `Object.prototype.prop`, affecting all objects in the runtime [ref_id=1]. The same effect is achieved with an array path `['__proto__', 'prop']` [ref_id=1]. No authentication or special network access is required beyond the ability to supply input to the library's API.
Affected code
The vulnerable function is `setProperty()` in `underscore-keypath.js` (line 162), where the assignment `obj[name] = value` is performed without sanitizing the `name` argument [ref_id=1]. The entry function `setValueForKeyPath()` passes user-controlled key-path segments directly into `setProperty()` without filtering dangerous keys like `__proto__` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies that the root cause is the lack of input validation in `setValueForKeyPath()` and `setProperty()` — the functions do not reject or sanitize arguments like `__proto__` before using them as object property keys. The remediation would require checking whether the `name` argument equals `__proto__`, `constructor`, or `prototype` (or their nested equivalents) and either blocking or safely handling such keys to prevent prototype pollution [CWE-1321].
Preconditions
- inputThe application must use the underscore-keypath library (version 0.0.11 or later) and pass user-controlled input to setValueForKeyPath() or setProperty()
- authNo authentication or special privileges required; any caller of the vulnerable API can trigger the pollution
Reproduction
```javascript var underscore = require("underscore-keypath");
// POC 1: using array path console.log("Before: " + {}.prop); underscore.setValueForKeyPath({}, ['__proto__', 'prop'], "polluted"); console.log("After: " + {}.prop);
// POC 2: using dot-separated string path console.log("Before: " + {}.prop); underscore.setValueForKeyPath({}, "__proto__.prop", "polluted"); console.log("After: " + {}.prop); ```
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.