CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

CWE-915

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (488)

page 13 of 25

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2023-26105	—	—	0.00	Feb 28, 2023	All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.
CVE-2023-26102	—	—	0.00	Feb 24, 2023	All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype
CVE-2021-4307	Yomguithereal Baobab	—	0.01	Jan 7, 2023	A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The…
CVE-2022-4742	—	—	0.00	Dec 26, 2022	A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution').…
CVE-2021-4279	Starcounter-Jack JSON-Patch	—	0.00	Dec 25, 2022	A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can…
CVE-2020-36632	—	—	0.01	Dec 25, 2022	A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible…
CVE-2021-4278	Cronvel Tree-kit	—	0.00	Dec 25, 2022	A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to…
CVE-2022-46175	Json5 Json5	—	0.42	Dec 24, 2022	JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing…
CVE-2022-25904	—	—	0.00	Dec 21, 2022	All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify…
CVE-2021-4264	Linkedin dustjs	—	0.01	Dec 21, 2022	A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be…
CVE-2020-36618	Furqan node-whois	—	0.01	Dec 19, 2022	A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the…
CVE-2021-4245	chbrown rfc6902	—	0.01	Dec 15, 2022	A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed…
CVE-2022-24999	—	—	0.02	Nov 26, 2022	qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack…
CVE-2022-41879	Parse Community Parse Server	—	0.00	Nov 10, 2022	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server…
CVE-2022-41878	Parse Community Parse Server	—	0.01	Nov 10, 2022	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers.…
CVE-2022-39396	Parse Community Parse Server	—	0.11	Nov 10, 2022	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution…
CVE-2022-41713	—	—	0.00	Nov 3, 2022	deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.
CVE-2022-42743	—	—	0.00	Nov 3, 2022	deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.
CVE-2022-41714	—	—	0.00	Nov 3, 2022	fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.
CVE-2022-37623	—	—	0.01	Oct 31, 2022	Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.

CVE-2023-26105Feb 28, 2023
risk 0.00cvss —epss 0.00
All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.
CVE-2023-26102Feb 24, 2023
risk 0.00cvss —epss 0.00
All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype
CVE-2021-4307Jan 7, 2023
Yomguithereal
Baobab
risk 0.00cvss —epss 0.01
A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The…
CVE-2022-4742Dec 26, 2022
risk 0.00cvss —epss 0.00
A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution').…
CVE-2021-4279Dec 25, 2022
Starcounter-Jack
JSON-Patch
risk 0.00cvss —epss 0.00
A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can…
CVE-2020-36632Dec 25, 2022
risk 0.00cvss —epss 0.01
A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible…
CVE-2021-4278Dec 25, 2022
Cronvel
Tree-kit
risk 0.00cvss —epss 0.00
A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to…
CVE-2022-46175Dec 24, 2022
Json5
Json5
risk 0.00cvss —epss 0.42
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing…
CVE-2022-25904Dec 21, 2022
risk 0.00cvss —epss 0.00
All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify…
CVE-2021-4264Dec 21, 2022
Linkedin
dustjs
risk 0.00cvss —epss 0.01
A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be…
CVE-2020-36618Dec 19, 2022
Furqan
node-whois
risk 0.00cvss —epss 0.01
A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to launch the…
CVE-2021-4245Dec 15, 2022
chbrown
rfc6902
risk 0.00cvss —epss 0.01
A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed…
CVE-2022-24999Nov 26, 2022
risk 0.00cvss —epss 0.02
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack…
CVE-2022-41879Nov 10, 2022
Parse Community
Parse Server
risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server…
CVE-2022-41878Nov 10, 2022
Parse Community
Parse Server
risk 0.00cvss —epss 0.01
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers.…
CVE-2022-39396Nov 10, 2022
Parse Community
Parse Server
risk 0.00cvss —epss 0.11
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution…
CVE-2022-41713Nov 3, 2022
risk 0.00cvss —epss 0.00
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.
CVE-2022-42743Nov 3, 2022
risk 0.00cvss —epss 0.00
deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.
CVE-2022-41714Nov 3, 2022
risk 0.00cvss —epss 0.00
fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.
CVE-2022-37623Oct 31, 2022
risk 0.00cvss —epss 0.01
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.