VYPR

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (503)

page 4 of 26
  • CVE-2024-57086HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57084HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the function lib.parse of dot-properties v1.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57080HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57078HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib.merge function of cli-util v1.1.27 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57072HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.01

    A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57071HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib.combine function of php-parser v3.2.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57069HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib function of expand-object v0.4.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57067HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57066HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57065HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.01

    A prototype pollution in the lib.createPath function of utile v0.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-57064HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib.setValue function of @syncfusion/ej2-spreadsheet v27.2.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. NOTE: the Supplier disputes this because they found that the lib.setValue function is not utilized.

  • CVE-2024-57063HigFeb 5, 2025
    risk 0.49cvss 7.5epss 0.00

    A prototype pollution in the lib function of php-date-formatter v1.3.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

  • CVE-2024-36581HigJun 17, 2024
    risk 0.49cvss 7.6epss 0.01

    A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.

  • CVE-2024-32866HigApr 23, 2024
    risk 0.49cvss 8.6epss 0.01

    Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a…

  • CVE-2025-68130HigDec 16, 2025
    risk 0.48cvss epss 0.00

    tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the…

  • CVE-2026-44966HigMay 26, 2026
    risk 0.47cvss 8.3epss 0.01

    Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders…

  • CVE-2026-6621HigApr 20, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the…

  • CVE-2026-6594HigApr 20, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be…

  • CVE-2025-62381HigOct 15, 2025
    risk 0.47cvss epss 0.01

    sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype,…

  • CVE-2025-3197HigApr 4, 2025
    risk 0.47cvss 7.3epss 0.00

    Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties…