CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-1 · CAPEC-180 · CAPEC-77
CVEs mapped to this weakness (503)
page 4 of 26| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-57086 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-57084 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-57080 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-57078 | — | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57072 | — | Hig | 0.49 | 7.5 | 0.01 | Feb 5, 2025 | A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57071 | — | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57069 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-57067 | — | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57066 | — | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-57065 | Hig | 0.49 | 7.5 | 0.01 | Feb 5, 2025 | A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-57064 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized. | ||
| CVE-2024-57063 | Hig | 0.49 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-36581 | — | Hig | 0.49 | 7.6 | 0.01 | Jun 17, 2024 | A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm. | |
| CVE-2024-32866 | — | Hig | 0.49 | 8.6 | 0.01 | Apr 23, 2024 | Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a… | |
| CVE-2025-68130 | Hig | 0.48 | — | 0.00 | Dec 16, 2025 | tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the… | ||
| CVE-2026-44966 | Hig | 0.47 | 8.3 | 0.01 | May 26, 2026 | Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders… | ||
| CVE-2026-6621 | Hig | 0.47 | 7.3 | 0.00 | Apr 20, 2026 | A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the… | ||
| CVE-2026-6594 | Hig | 0.47 | 7.3 | 0.00 | Apr 20, 2026 | A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be… | ||
| CVE-2025-62381 | Hig | 0.47 | — | 0.01 | Oct 15, 2025 | sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype,… | ||
| CVE-2025-3197 | Hig | 0.47 | 7.3 | 0.00 | Apr 4, 2025 | Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties… |
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.01
A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.01
A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized.
- risk 0.49cvss 7.5epss 0.00
A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.49cvss 7.6epss 0.01
A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.
- risk 0.49cvss 8.6epss 0.01
Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a…
- risk 0.48cvss —epss 0.00
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the…
- risk 0.47cvss 8.3epss 0.01
Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be…
- risk 0.47cvss —epss 0.01
sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype,…
- risk 0.47cvss 7.3epss 0.00
Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties…