CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (488)
page 19 of 25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23413 | — | 0.00 | — | 0.01 | Jul 25, 2021 | This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance. | ||
| CVE-2021-23408 | 0.00 | — | 0.00 | Jul 21, 2021 | This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload. | |||
| CVE-2021-25953 | — | 0.00 | — | 0.03 | Jul 14, 2021 | Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25952 | — | 0.00 | — | 0.03 | Jul 7, 2021 | Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-23403 | 0.00 | — | 0.01 | Jul 2, 2021 | All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input. | |||
| CVE-2021-23402 | — | 0.00 | — | 0.01 | Jul 2, 2021 | All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality. | ||
| CVE-2021-32736 | — | 0.00 | — | 0.00 | Jun 30, 2021 | think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control… | ||
| CVE-2021-23396 | — | 0.00 | — | 0.00 | Jun 17, 2021 | All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function. | ||
| CVE-2020-24939 | — | 0.00 | — | 0.00 | Jun 16, 2021 | Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation. | ||
| CVE-2021-23395 | — | 0.00 | — | 0.00 | Jun 15, 2021 | This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload. | ||
| CVE-2021-25949 | — | 0.00 | — | 0.02 | Jun 10, 2021 | Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25948 | — | 0.00 | — | 0.03 | Jun 10, 2021 | Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25947 | — | 0.00 | — | 0.03 | Jun 3, 2021 | Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-26707 | — | 0.00 | — | 0.01 | Jun 2, 2021 | The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications… | ||
| CVE-2021-25945 | — | 0.00 | — | 0.03 | May 26, 2021 | Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25946 | — | 0.00 | — | 0.03 | May 25, 2021 | Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25944 | — | 0.00 | — | 0.03 | May 25, 2021 | Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25941 | — | 0.00 | — | 0.03 | May 14, 2021 | Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-25943 | — | 0.00 | — | 0.03 | May 14, 2021 | Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-23383 | — | 0.00 | — | 0.06 | May 4, 2021 | The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. |
- CVE-2021-23413Jul 25, 2021risk 0.00cvss —epss 0.01
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
- CVE-2021-23408Jul 21, 2021risk 0.00cvss —epss 0.00
This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.
- CVE-2021-25953Jul 14, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25952Jul 7, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-23403Jul 2, 2021risk 0.00cvss —epss 0.01
All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.
- CVE-2021-23402Jul 2, 2021risk 0.00cvss —epss 0.01
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
- CVE-2021-32736Jun 30, 2021risk 0.00cvss —epss 0.00
think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control…
- CVE-2021-23396Jun 17, 2021risk 0.00cvss —epss 0.00
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
- CVE-2020-24939Jun 16, 2021risk 0.00cvss —epss 0.00
Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.
- CVE-2021-23395Jun 15, 2021risk 0.00cvss —epss 0.00
This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload.
- CVE-2021-25949Jun 10, 2021risk 0.00cvss —epss 0.02
Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25948Jun 10, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25947Jun 3, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-26707Jun 2, 2021risk 0.00cvss —epss 0.01
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications…
- CVE-2021-25945May 26, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25946May 25, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25944May 25, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25941May 14, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25943May 14, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-23383May 4, 2021risk 0.00cvss —epss 0.06
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.