CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 15 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23397 | — | 0.00 | — | 0.00 | Jul 25, 2022 | All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead. | ||
| CVE-2020-28462 | — | 0.00 | — | 0.00 | Jul 25, 2022 | This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | ||
| CVE-2020-28461 | — | 0.00 | — | 0.01 | Jul 25, 2022 | This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context. | ||
| CVE-2020-28441 | — | 0.00 | — | 0.01 | Jul 25, 2022 | This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context. | ||
| CVE-2020-7641 | — | 0.00 | — | 0.00 | Jul 17, 2022 | This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. | ||
| CVE-2021-40663 | — | 0.00 | — | 0.01 | Jun 30, 2022 | deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). | ||
| CVE-2022-21231 | — | 0.00 | — | 0.00 | Jun 24, 2022 | All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) | ||
| CVE-2022-25871 | — | 0.00 | — | 0.00 | Jun 17, 2022 | All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of… | ||
| CVE-2022-21213 | — | 0.00 | — | 0.02 | Jun 17, 2022 | This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target… | ||
| CVE-2022-25878 | 0.00 | — | 0.00 | May 27, 2022 | The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to… | |||
| CVE-2022-25862 | — | 0.00 | — | 0.00 | May 13, 2022 | This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to… | ||
| CVE-2022-21190 | 0.00 | — | 0.01 | May 13, 2022 | This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith… | |||
| CVE-2022-25301 | — | 0.00 | — | 0.00 | May 1, 2022 | All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. | ||
| CVE-2022-22143 | 0.00 | — | 0.02 | May 1, 2022 | The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508) | |||
| CVE-2022-25645 | — | 0.00 | — | 0.01 | May 1, 2022 | All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to… | ||
| CVE-2022-21189 | — | 0.00 | — | 0.01 | May 1, 2022 | The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker… | ||
| CVE-2022-24279 | — | 0.00 | — | 0.01 | Apr 15, 2022 | The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK… | ||
| CVE-2022-21803 | — | 0.00 | — | 0.01 | Apr 12, 2022 | This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By… | ||
| CVE-2022-1295 | — | 0.00 | — | 0.01 | Apr 11, 2022 | Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2. | ||
| CVE-2021-43138 | — | 0.00 | — | 0.01 | Apr 6, 2022 | In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. |
- CVE-2021-23397Jul 25, 2022risk 0.00cvss —epss 0.00
All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.
- CVE-2020-28462Jul 25, 2022risk 0.00cvss —epss 0.00
This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.
- CVE-2020-28461Jul 25, 2022risk 0.00cvss —epss 0.01
This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse , they will pollute the prototype on the application. This can be exploited further depending on the context.
- CVE-2020-28441Jul 25, 2022risk 0.00cvss —epss 0.01
This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.
- CVE-2020-7641Jul 17, 2022risk 0.00cvss —epss 0.00
This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
- CVE-2021-40663Jun 30, 2022risk 0.00cvss —epss 0.01
deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
- CVE-2022-21231Jun 24, 2022risk 0.00cvss —epss 0.00
All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666)
- CVE-2022-25871Jun 17, 2022risk 0.00cvss —epss 0.00
All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of…
- CVE-2022-21213Jun 17, 2022risk 0.00cvss —epss 0.02
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target…
- CVE-2022-25878May 27, 2022risk 0.00cvss —epss 0.00
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to…
- CVE-2022-25862May 13, 2022risk 0.00cvss —epss 0.00
This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. **Note:** This vulnerability derives from an incomplete fix to…
- CVE-2022-21190May 13, 2022risk 0.00cvss —epss 0.01
This affects the package convict before 6.2.3. This is a bypass of [CVE-2022-22143](https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604). The [fix](https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880) introduced, relies on the startsWith…
- CVE-2022-25301May 1, 2022risk 0.00cvss —epss 0.00
All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.
- CVE-2022-22143May 1, 2022risk 0.00cvss —epss 0.02
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)
- CVE-2022-25645May 1, 2022risk 0.00cvss —epss 0.01
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to…
- CVE-2022-21189May 1, 2022risk 0.00cvss —epss 0.01
The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker…
- CVE-2022-24279Apr 15, 2022risk 0.00cvss —epss 0.01
The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK…
- CVE-2022-21803Apr 12, 2022risk 0.00cvss —epss 0.01
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By…
- CVE-2022-1295Apr 11, 2022risk 0.00cvss —epss 0.01
Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2.
- CVE-2021-43138Apr 6, 2022risk 0.00cvss —epss 0.01
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.