Moderate severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026
Dottie vulnerable to prototype pollution bypass via non-first path segments in set() and transform()
CVE-2026-27837
Description
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing __proto__ at any position other than the first. Both dottie.set() and dottie.transform() are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dottienpm | >= 2.0.4, < 2.0.7 | 2.0.7 |
Affected products
2- Range: >= 2.0.4, < 2.0.7
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4gxf-g5gf-22h4ghsax_refsource_MISCADVISORY
- github.com/advisories/GHSA-r5mx-6wc6-7h9wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27837ghsaADVISORY
- github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14ghsax_refsource_MISCWEB
- github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.