VYPR

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (503)

page 3 of 26
  • CVE-2025-62410CriOct 15, 2025
    risk 0.54cvss epss 0.00

    In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype…

  • CVE-2026-46509HigMay 28, 2026
    risk 0.53cvss 8.2epss 0.00

    deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3.

  • CVE-2026-44483HigMay 27, 2026
    risk 0.53cvss 8.2epss 0.00

    RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor,…

  • CVE-2026-44291HigMay 13, 2026
    risk 0.53cvss 8.1epss 0.01

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been…

  • CVE-2024-39016HigJul 1, 2024
    risk 0.53cvss 8.1epss 0.01

    che3vinci c3/utils-1 1.0.131 was discovered to contain a prototype pollution via the function assign. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

  • CVE-2024-36583HigJun 17, 2024
    risk 0.53cvss 8.1epss 0.01

    A Prototype Pollution issue in byondreal accessor <= 1.0.0 allows an attacker to execute arbitrary code via @byondreal/accessor/index.

  • CVE-2026-48170criJun 22, 2026
    risk 0.52cvss epss

    ## Summary `scim-patch` performs prototype pollution when applying a SCIM PATCH operation whose `value` object contains a key like `"__proto__.someProp"`. After one such patch, `Object.prototype.someProp` is set process-wide, affecting every plain object in the Node process. …

  • CVE-2026-48714CriJun 15, 2026
    risk 0.52cvss 9.1epss 0.00

    i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see…

  • CVE-2026-48713CriJun 15, 2026
    risk 0.52cvss 9.1epss 0.00

    Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key…

  • CVE-2026-34221CriMar 31, 2026
    risk 0.52cvss 9.1epss 0.00

    MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The…

  • CVE-2025-27597HigMar 7, 2025
    risk 0.51cvss epss 0.01

    Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify…

  • CVE-2018-3728HigMar 30, 2018
    risk 0.51cvss 8.8epss 0.04

    hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or…

  • CVE-2026-44494HigJun 11, 2026
    risk 0.50cvss 8.7epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full…

  • CVE-2025-55164HigAug 12, 2025
    risk 0.50cvss epss 0.00

    content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0.…

  • CVE-2025-8101HigJul 25, 2025
    risk 0.50cvss epss 0.01

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.

  • CVE-2018-3720HigJun 7, 2018
    risk 0.50cvss 8.8epss 0.02

    assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…

  • CVE-2026-44290HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause…

  • CVE-2026-41690HigMay 8, 2026
    risk 0.49cvss 8.6epss 0.00

    18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated…

  • CVE-2025-26278HigSep 25, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2025-57319HigSep 24, 2025
    risk 0.49cvss 7.5epss 0.00

    fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing…