CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
VariantIncomplete
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (108)
page 3 of 6| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-8161 | Hig | 0.49 | 7.5 | 0.00 | May 12, 2026 | multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher. | |
| CVE-2025-70956 | Hig | 0.49 | 7.5 | 0.00 | Feb 13, 2026 | A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract's context. | |
| CVE-2025-26278 | Hig | 0.49 | 7.5 | 0.00 | Sep 25, 2025 | A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57086 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57084 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57080 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57078 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57072 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57071 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57069 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57067 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57066 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57065 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57064 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized. | |
| CVE-2024-57063 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-32866 | Hig | 0.49 | 8.6 | 0.00 | Apr 23, 2024 | Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue. | |
| CVE-2026-42035 | Hig | 0.48 | 7.4 | 0.00 | Apr 24, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1. | |
| CVE-2026-42033 | Hig | 0.48 | 7.4 | 0.00 | Apr 24, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1. | |
| CVE-2025-68130 | Hig | 0.48 | — | 0.00 | Dec 16, 2025 | tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue. | |
| CVE-2026-6621 | Hig | 0.47 | 7.3 | 0.00 | Apr 20, 2026 | A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years. |