docarray Web API torch_dataset.py __getitem__ prototype pollution
Description
A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in DocArray ≤0.40.1's MultiModalDataset.__getitem__ allows remote attackers to overwrite Python class attributes via unsanitized dotted paths.
Vulnerability
Overview
A prototype pollution vulnerability exists in DocArray versions up to 0.40.1, specifically in the MultiModalDataset class. The __getitem__ method in /docarray/data/torch_dataset.py recursively follows a dotted path from user-supplied input to access and set attributes on document objects [1][3]. The code does not sanitize the path components, allowing an attacker to traverse beyond intended document fields and reach internal Python class objects (e.g., .__class__.__base__) [3].
Exploitation
The attack is remotely exploitable via the Web API, such as when DocArray is deployed with FastAPI as recommended [1]. An attacker provides a crafted dotted path as part of a preprocessing configuration or dataset access request. No special privileges are required beyond the ability to interact with the Web API endpoint [2]. The exploit has been publicly disclosed in a Gist with proof-of-concept code [3].
Impact
By overwriting internal Python class attributes, an attacker can cause a denial of service (DoS) by corrupting runtime state [3]. The advisory notes that when combined with other backend code, more severe attacks like remote code execution (RCE) or cross-site scripting (XSS) are promising, though those are not demonstrated in the disclosed exploit [3].
Mitigation
The vendor (DocArray) was contacted but did not respond; no official patch has been released [2][3]. Users should consider upgrading to a later version if available, or avoid exposing the vulnerable Web API endpoint. The vulnerability affects all versions up to and including 0.40.1. Until a fix is issued, manual input validation on dotted paths is recommended.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
docarrayPyPI | <= 0.40.1 | — |
Affected products
2- docarray/docarraydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- gist.github.com/superboy-zjc/56502343bcb12eb653081b426debf2c8ghsaexploitWEB
- github.com/advisories/GHSA-j9wp-865g-rf48ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-5150ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.