VYPR
← All advisories
High severity8.2GHSA Advisory· Published May 18, 2026

@tmlmobilidade/utils has prototype pollution in its setValueAtPath

CVE-2026-45325

Description

Impact

Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath().

Patches

A fix is available in versions 20260509.0340.15 and up.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in @tmlmobilidade/utils setValueAtPath allows attackers to pollute Object.prototype via crafted input.

Vulnerability

The setValueAtPath function in the @tmlmobilidade/utils npm package is vulnerable to prototype pollution. The function does not sanitize the path parameter, allowing an attacker to set properties on Object.prototype by passing paths such as __proto__ or constructor.prototype. Affected versions are those prior to 20260509.0340.15 [1][2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication or user interaction. The attack complexity is low, requiring only the ability to supply a crafted path argument to setValueAtPath. For example, an attacker could send a request that triggers the vulnerable code path with a malicious path string, leading to prototype pollution [2][4].

Impact

Successful exploitation allows the attacker to pollute Object.prototype, injecting arbitrary properties into all objects in the application. This can lead to denial of service, privilege escalation, or remote code execution, depending on how the polluted properties are used by the application [2][4].

Mitigation

The vulnerability is fixed in version 20260509.0340.15 and later. Users should upgrade to this version or newer. No workarounds are documented in the available references [2][4].

References
  1. go/packages/utils/src/generic/value-at-path.ts at prd · tmlmobilidade/go
  2. CVE-2026-45325 - GitHub Advisory Database
  3. Prototype pollution in @tmlmobilidade/utils setValueAtPath

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
b10505baa7ba

Add safety checks for unsafe path segments in setValueAtPath function

https://github.com/tmlmobilidade/goJoão de VasconcelosMay 9, 2026via ghsa
commit
1 file changed · +9 0
  • packages/utils/src/generic/value-at-path.ts+9 0 modified
    @@ -63,8 +63,17 @@ export function getValueAtPath<T, P extends DotPath<T>>(obj: T, path: P): PathVa
  * @param value The value to set at the specified path.
  * @returns The updated object with the value set at the specified path.
  */
+const UNSAFE_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+
 export function setValueAtPath<T extends object, P extends DotPath<T>>(obj: T, path: P, value: PathValue<T, P>): T {
 	const keys = (path as string).split('.');
+
+	for (const key of keys) {
+		if (UNSAFE_KEYS.has(key)) {
+			throw new Error(`Unsafe path segment: "${key}"`);
+		}
+	}
+
 	let current: any = obj;
 
 	keys.slice(0, -1).forEach((key) => {

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

4

News mentions

0

No linked articles in our index yet.