CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (503)
page 1 of 26| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34621 | Hig | 0.69 | 8.6 | 0.07 | KEV | Apr 11, 2026 | Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user.… | |
| CVE-2024-56059 | Cri | 0.66 | 9.8 | 0.02 | Dec 18, 2024 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners allows Object Injection.This issue affects Partners: from n/a through <= 0.2.0. | ||
| CVE-2026-44005 | Cri | 0.65 | 10.0 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets… | ||
| CVE-2025-63704 | — | Cri | 0.64 | 9.8 | 0.00 | May 7, 2026 | NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object. | |
| CVE-2025-63703 | — | Cri | 0.64 | 9.8 | 0.00 | May 7, 2026 | npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js(). | |
| CVE-2024-52441 | Cri | 0.64 | 9.8 | 0.01 | Nov 20, 2024 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn quick-learn allows Object Injection.This issue affects Quick Learn: from n/a through <= 1.0.1. | ||
| CVE-2024-39011 | Cri | 0.64 | 9.8 | 0.01 | Jul 30, 2024 | Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects. | ||
| CVE-2024-39014 | — | Cri | 0.64 | 9.8 | 0.01 | Jul 1, 2024 | ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |
| CVE-2024-39013 | Cri | 0.64 | 9.8 | 0.01 | Jul 1, 2024 | 2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||
| CVE-2024-36582 | — | Cri | 0.64 | 9.8 | 0.01 | Jun 17, 2024 | alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js) | |
| CVE-2024-36580 | — | Cri | 0.64 | 9.8 | 0.01 | Jun 17, 2024 | A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code. | |
| CVE-2018-3753 | — | Cri | 0.64 | 9.8 | 0.01 | Jul 3, 2018 | The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that… | |
| CVE-2025-13158 | Cri | 0.60 | — | 0.00 | Dec 26, 2025 | Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to… | ||
| CVE-2026-53609 | Cri | 0.59 | 9.1 | 0.00 | Jun 12, 2026 | ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the… | ||
| CVE-2026-44791 | cri | 0.59 | — | 0.01 | May 14, 2026 | ## Impact An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. ## Patches The issue has been fixed in n8n versions 1.123.43,… | ||
| CVE-2026-44789 | cri | 0.59 | — | 0.01 | May 14, 2026 | ## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. ## Patches The issue… | ||
| CVE-2026-33864 | — | cri | 0.59 | — | 0.01 | Mar 26, 2026 | ### Summary A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute… | |
| CVE-2026-33863 | — | cri | 0.59 | — | 0.00 | Mar 26, 2026 | ### Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. `config.load()` / `config.loadFile()` — `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g.… | |
| CVE-2024-57077 | Cri | 0.59 | 9.1 | 0.00 | Feb 5, 2025 | The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service… | ||
| CVE-2024-39008 | Cri | 0.58 | 10.0 | 0.01 | Jul 1, 2024 | robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. |
- risk 0.69cvss 8.6epss 0.07
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user.…
- risk 0.66cvss 9.8epss 0.02
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in farinspace Partners partners allows Object Injection.This issue affects Partners: from n/a through <= 0.2.0.
- risk 0.65cvss 10.0epss 0.01
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets…
- risk 0.64cvss 9.8epss 0.00
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.
- risk 0.64cvss 9.8epss 0.00
npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().
- risk 0.64cvss 9.8epss 0.01
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn quick-learn allows Object Injection.This issue affects Quick Learn: from n/a through <= 1.0.1.
- risk 0.64cvss 9.8epss 0.01
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.
- risk 0.64cvss 9.8epss 0.01
ahilfoley cahil/utils v2.3.2 was discovered to contain a prototype pollution via the function set. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- risk 0.64cvss 9.8epss 0.01
2o3t-utility v0.1.2 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- risk 0.64cvss 9.8epss 0.01
alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)
- risk 0.64cvss 9.8epss 0.01
A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.
- risk 0.64cvss 9.8epss 0.01
The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that…
- risk 0.60cvss —epss 0.00
Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to…
- risk 0.59cvss 9.1epss 0.00
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the…
- risk 0.59cvss —epss 0.01
## Impact An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host. ## Patches The issue has been fixed in n8n versions 1.123.43,…
- risk 0.59cvss —epss 0.01
## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance. ## Patches The issue…
- risk 0.59cvss —epss 0.01
### Summary A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute…
- risk 0.59cvss —epss 0.00
### Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. `config.load()` / `config.loadFile()` — `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g.…
- risk 0.59cvss 9.1epss 0.00
The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service…
- risk 0.58cvss 10.0epss 0.01
robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.