VYPR

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (503)

page 5 of 26
  • CVE-2024-33519HigJul 24, 2024
    risk 0.47cvss 7.2epss 0.01

    A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to…

  • CVE-2024-36577HigJun 17, 2024
    risk 0.47cvss 8.3epss 0.00

    apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty.

  • CVE-2024-21512HigMay 29, 2024
    risk 0.47cvss 8.2epss 0.03

    Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.

  • CVE-2026-45302HigJun 1, 2026
    risk 0.46cvss 8.2epss 0.00

    parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field…

  • CVE-2026-46510HigMay 29, 2026
    risk 0.46cvss 8.2epss 0.00

    form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...]…

  • CVE-2026-8657HigMay 16, 2026
    risk 0.46cvss 8.2epss 0.00

    Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as…

  • CVE-2025-34146HigJul 31, 2025
    risk 0.46cvss epss 0.00

    A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape…

  • CVE-2024-21489HigOct 1, 2024
    risk 0.46cvss 8.2epss 0.01

    Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribute resolves to the object prototype.

  • CVE-2024-21529HigSep 11, 2024
    risk 0.46cvss 8.2epss 0.01

    Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property __proto__, which is…

  • CVE-2024-29651HigMay 20, 2024
    risk 0.46cvss 8.1epss 0.01

    A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle()`, `parse()`, `resolve()`, `dereference() functions.

  • CVE-2026-54312higJun 16, 2026
    risk 0.45cvss epss 0.00

    ## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes `Object.prototype` process-wide for the lifetime of the n8n server…

  • CVE-2026-41238MedApr 23, 2026
    risk 0.45cvss 6.9epss 0.00

    DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING`…

  • CVE-2025-57820HigAug 26, 2025
    risk 0.44cvss epss 0.00

    Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties,…

  • CVE-2026-46625HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an…

  • CVE-2026-8161HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes…

  • CVE-2026-35209HigApr 6, 2026
    risk 0.42cvss 7.5epss 0.00

    defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are…

  • CVE-2025-70956HigFeb 13, 2026
    risk 0.42cvss 7.5epss 0.00

    A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources…

  • CVE-2026-25639HigFeb 9, 2026
    risk 0.42cvss 7.5epss 0.02

    Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by…

  • CVE-2025-57351MedSep 24, 2025
    risk 0.42cvss 6.5epss 0.00

    A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject…

  • CVE-2025-57354MedSep 24, 2025
    risk 0.42cvss 6.5epss 0.00

    A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by…