jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
Description
Summary
Jodit.modules.Helpers.set(chain, value, obj) walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype (prototype pollution).
### Affected - Package: jodit (npm) - Versions: < 4.12.26 - Public API: Jodit.modules.Helpers.set(chain, value, obj)
Proof of
Concept ``js const { Jodit } = require('jodit'); delete Object.prototype.polluted; Jodit.modules.Helpers.set('__proto__.polluted', 'yes', {}); console.log(({}).polluted); // "yes" (before the fix) delete Object.prototype.polluted; ``
Impact
Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.
Patch
Fixed in 4.12.26 by rejecting any chain whose segments include __proto__, constructor, or prototype, reusing the same guard introduced for Jodit.configure() in 4.12.18.
Credit
Responsibly reported by Junming Wu.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"`Jodit.modules.Helpers.set()` walks a dot-separated chain without filtering prototype-mutating keys like `__proto__`, `constructor`, or `prototype`, allowing the final assignment to mutate `Object.prototype`."
Attack vector
An attacker supplies a dot-separated key path containing `__proto__`, `constructor`, or `prototype` to `Jodit.modules.Helpers.set(chain, value, obj)`. The function walks each segment without filtering these prototype-mutating keys, so the final assignment reaches and mutates `Object.prototype` [ref_id=1][ref_id=2]. This is a classic prototype pollution vulnerability (CWE-1321). Applications that pass a user-controlled or partially user-controlled key path into this API are exploitable [ref_id=1][ref_id=2].
What the fix does
The patch in version 4.12.26 rejects any chain whose segments include `__proto__`, `constructor`, or `prototype`, reusing the same guard introduced for `Jodit.configure()` in 4.12.18 [ref_id=1][ref_id=2]. By blocking these dangerous keys before the traversal begins, the fix prevents the assignment from ever reaching `Object.prototype`. No other changes to the function's logic are described.
Preconditions
- inputThe application must call Jodit.modules.Helpers.set() with a chain argument that is at least partially attacker-controlled
- inputThe chain must contain __proto__, constructor, or prototype as one of its segments
Reproduction
```js const { Jodit } = require('jodit'); delete Object.prototype.polluted; Jodit.modules.Helpers.set('__proto__.polluted', 'yes', {}); console.log(({}).polluted); // "yes" (before the fix) delete Object.prototype.polluted; ```
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.