CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

CWE-915

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (488)

page 20 of 25

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2021-28860	—	—	0.01	May 3, 2021	In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at…
CVE-2021-25928	Mantacode Safe Obj	—	0.03	Apr 26, 2021	Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25927	—	—	0.03	Apr 26, 2021	Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-20085	—	—	0.01	Apr 23, 2021	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.
CVE-2021-20087	—	—	0.01	Apr 23, 2021	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype.
CVE-2021-20088	—	—	0.00	Apr 23, 2021	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype.
CVE-2021-23370	Nolimits4web Swiper	—	0.02	Apr 12, 2021	This affects the package swiper before 6.5.1.
CVE-2020-28503	—	—	0.01	Mar 23, 2021	The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.
CVE-2021-25916	—	—	0.03	Mar 16, 2021	Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-21368	—	—	0.01	Mar 12, 2021	msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__.…
CVE-2021-25915	—	—	0.03	Mar 9, 2021	Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25914	—	—	0.03	Mar 1, 2021	Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-21297	node-red node-red	—	0.00	Feb 26, 2021	Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to…
CVE-2021-27582	—	—	0.01	Feb 23, 2021	org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth…
CVE-2021-25913	—	—	0.03	Feb 8, 2021	Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-21304	Dynamoose Dynamoose	—	0.01	Feb 8, 2021	Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for…
CVE-2020-28449	—	—	0.00	Feb 4, 2021	This affects all versions of package decal. The vulnerability is in the set function.
CVE-2020-28450	—	—	0.00	Feb 4, 2021	This affects all versions of package decal. The vulnerability is in the extend function.
CVE-2020-28495	—	—	0.06	Feb 2, 2021	This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the…
CVE-2021-23328	—	—	0.00	Jan 29, 2021	This affects all versions of package iniparserjs. This vulnerability relates when ini_parser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

CVE-2021-28860May 3, 2021
risk 0.00cvss —epss 0.01
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at…
CVE-2021-25928Apr 26, 2021
Mantacode
Safe Obj
risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25927Apr 26, 2021
risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-20085Apr 23, 2021
risk 0.00cvss —epss 0.01
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.
CVE-2021-20087Apr 23, 2021
risk 0.00cvss —epss 0.01
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype.
CVE-2021-20088Apr 23, 2021
risk 0.00cvss —epss 0.00
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype.
CVE-2021-23370Apr 12, 2021
Nolimits4web
Swiper
risk 0.00cvss —epss 0.02
This affects the package swiper before 6.5.1.
CVE-2020-28503Mar 23, 2021
risk 0.00cvss —epss 0.01
The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.
CVE-2021-25916Mar 16, 2021
risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-21368Mar 12, 2021
risk 0.00cvss —epss 0.01
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__.…
CVE-2021-25915Mar 9, 2021
risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-25914Mar 1, 2021
risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-21297Feb 26, 2021
node-red
node-red
risk 0.00cvss —epss 0.00
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to…
CVE-2021-27582Feb 23, 2021
risk 0.00cvss —epss 0.01
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth…
CVE-2021-25913Feb 8, 2021
risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2021-21304Feb 8, 2021
Dynamoose
Dynamoose
risk 0.00cvss —epss 0.01
Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method is used throughout the codebase for…
CVE-2020-28449Feb 4, 2021
risk 0.00cvss —epss 0.00
This affects all versions of package decal. The vulnerability is in the set function.
CVE-2020-28450Feb 4, 2021
risk 0.00cvss —epss 0.00
This affects all versions of package decal. The vulnerability is in the extend function.
CVE-2020-28495Feb 2, 2021
risk 0.00cvss —epss 0.06
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the…
CVE-2021-23328Jan 29, 2021
risk 0.00cvss —epss 0.00
This affects all versions of package iniparserjs. This vulnerability relates when ini_parser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.