CVE-2026-53609
Description
Authenticated editors can pollute Object.prototype in ApostropheCMS to bypass authorization on all REST API endpoints for the Node.js process lifetime.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated editors can pollute Object.prototype in ApostropheCMS to bypass authorization on all REST API endpoints for the Node.js process lifetime.
Vulnerability
ApostropheCMS versions up to and including 4.30.0 contain a server-side prototype pollution vulnerability in apos.util.set(). The function traverses dot-notation paths without sanitizing __proto__, constructor, or prototype. When an authenticated editor sends a $pullAll patch operator (or direct dot-notation keys) to a piece-type REST API endpoint, the attacker-controlled key is passed directly to apos.util.set(), allowing the attacker to write arbitrary values to Object.prototype [1].
Exploitation
An attacker must have a valid editor-level session. The attacker sends a PATCH request containing a $pullAll patch with a key like __proto__.publicApiProjection and a truthy value. The cloneOriginalBase() function uses _.has() (checking own properties) and skips cloning __proto__. The unsanitized key is then passed to apos.util.set(), which traverses __proto__ and sets Object.prototype.publicApiProjection to a truthy value. The same effect can be achieved via a second entry point using direct dot-notation keys in the PATCH body [1].
Impact
Once Object.prototype.publicApiProjection is set to any truthy value, the gadget publicApiCheck() in piece-type/index.js inherits this property. For every subsequent unauthenticated request to any piece-type REST API endpoint, the condition !self.options.publicApiProjection evaluates to true (because the property is inherited and truthy), bypassing the authorization check. This grants unrestricted read and write access to all piece-type data for the lifetime of the Node.js process [1].
Mitigation
As of publication date (2026-06-12), no patched version is available. No workaround has been disclosed in the references. Users should monitor the official repository at https://github.com/apostrophecms/apostrophe for an update. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.30.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"`apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing prototype pollution via the `$pullAll` patch operator."
Attack vector
An authenticated editor sends a PATCH request containing the `$pullAll` operator with a crafted key `__proto__.publicApiProjection` and an array value. The `implementPatchOperators()` function passes this key directly into `apos.util.set()`, which traverses the dot-separated path without blocking `__proto__`. This writes the attacker-chosen value to `Object.prototype.publicApiProjection`. Because JavaScript property lookup inherits this from `Object.prototype`, every `publicApiCheck()` call sees a truthy value and skips the authorization gate for all subsequent unauthenticated requests to piece-type REST API endpoints for the lifetime of the Node.js process. [ref_id=1]
What the fix does
The advisory recommends rejecting dangerous prototype-related path segments (`__proto__`, `constructor`, `prototype`) before traversal inside `apos.util.set()` and before passing user-controlled keys into `apos.util.set()` from `implementPatchOperators()`. No official patch has been published as of the time of writing. The proposed fix prevents the dot-notation split from reaching `Object.prototype` by short-circuiting when any path segment matches one of the forbidden identifiers. [ref_id=1]
Preconditions
- authEditor-level credentials are required
- configThe target must run ApostropheCMS <= 4.30.0
- networkThe attacker must be able to reach the PATCH API endpoint
Reproduction
curl -s http://localhost:3000/api/v1/@apostrophecms/user
TOKEN=$(curl -s -X POST http://localhost:3000/api/v1/@apostrophecms/login/login -H "Content-Type: application/json" -d '{"username":"editor","password":"..."}' | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")
curl -X PATCH "http://localhost:3000/api/v1/@apostrophecms/global/{docId}:en:draft" -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Cookie: apos-testapp.csrf=csrf" -H "X-XSRF-TOKEN: csrf" -d '{"$pullAll":{"__proto__.publicApiProjection":[]}}'
curl -s http://localhost:3000/api/v1/@apostrophecms/user
[ref_id=1]
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.