VYPR

CWE-471

Modification of Assumed-Immutable Data (MAID)

BaseDraft

Description

The product does not properly protect an assumed-immutable element from being modified by an attacker.

This occurs when a particular input is critical enough to the functioning of the application that it should not be modifiable at all, but it is. Certain resources are often assumed to be immutable when they are not, such as hidden form fields in web applications, cookies, and reverse DNS lookups.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388

CVEs mapped to this weakness (23)

page 1 of 2
  • CVE-2018-3728HigMar 30, 2018
    risk 0.51cvss 8.8epss 0.04

    hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or…

  • CVE-2018-3723HigJun 7, 2018
    risk 0.50cvss 8.8epss 0.02

    defaults-deep node module before 0.2.4 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…

  • CVE-2018-3722HigJun 7, 2018
    risk 0.50cvss 8.8epss 0.02

    merge-deep node module before 3.0.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…

  • CVE-2018-3720HigJun 7, 2018
    risk 0.50cvss 8.8epss 0.02

    assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…

  • CVE-2018-3719HigJun 7, 2018
    risk 0.50cvss 8.8epss 0.02

    mixin-deep node module before 1.3.1 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all…

  • CVE-2024-9876HigApr 30, 2025
    risk 0.47cvss 7.3epss 0.00

    : Modification of Assumed-Immutable Data (MAID) vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4.

  • CVE-2024-57708MedJun 25, 2025
    risk 0.40cvss 5.7epss 0.01

    An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier who does not agree it is a prototype pollution vulnerability.

  • CVE-2026-54267higJun 15, 2026
    risk 0.39cvss epss 0.00

    To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports **Hydration** via `provideClientHydration()`. During SSR, Angular serializes the application's runtime state (such as cached `HttpClient` responses) and outputs it into the HTML stream…

  • CVE-2026-44798HigMay 28, 2026
    risk 0.39cvss 7.1epss 0.00

    Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable.…

  • CVE-2018-3721MedJun 7, 2018
    risk 0.35cvss 6.5epss 0.02

    lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of…

  • CVE-2026-8492LowMay 19, 2026
    risk 0.18cvss 2.7epss 0.00

    Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.

  • CVE-2024-34517May 7, 2024
    risk 0.00cvss epss 0.01

    The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access.

  • CVE-2022-2390Aug 12, 2022
    risk 0.00cvss epss 0.00

    Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this bug affects many applications. For an application affected, this bug will let…

  • CVE-2020-28477Jan 19, 2021
    risk 0.00cvss epss 0.02

    This affects all versions of package immer.

  • CVE-2020-26268Dec 10, 2020
    risk 0.00cvss epss 0.00

    In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries…

  • CVE-2020-26245Nov 27, 2020
    risk 0.00cvss epss 0.02

    npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be…

  • CVE-2020-26237Nov 24, 2020
    risk 0.00cvss epss 0.01

    Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during…

  • CVE-2020-8268Nov 9, 2020
    risk 0.00cvss epss 0.01

    Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.

  • CVE-2020-15256Oct 19, 2020
    risk 0.00cvss epss 0.02

    A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of…

  • CVE-2020-8158Sep 18, 2020
    risk 0.00cvss epss 0.02

    Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.