Vulnerabilities (CVE)

Filtered by CWE-1321
Total 270 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-21505 2024-03-25 N/A 7.5 HIGH
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
CVE-2022-4742 1 Json-pointer Project 1 Json-pointer 2024-03-21 N/A 9.8 CRITICAL
A vulnerability, which was classified as critical, has been found in json-pointer. Affected by this issue is the function set of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The name of the patch is 859c9984b6c407fc2d5a0a7e47c7274daa681941. It is recommended to apply a patch to fix this issue. VDB-216794 is the identifier assigned to this vulnerability.
CVE-2022-37598 1 Uglifyjs Project 1 Uglifyjs 2024-03-21 N/A 9.8 CRITICAL
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
CVE-2021-4279 1 Starcounter-jack 1 Json-patch 2024-03-21 N/A 9.8 CRITICAL
A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.1 is able to address this issue. The name of the patch is 7ad6af41eabb2d799f698740a91284d762c955c9. It is recommended to upgrade the affected component. VDB-216778 is the identifier assigned to this vulnerability.
CVE-2021-4278 1 Tree Kit Project 1 Tree Kit 2024-03-21 N/A 7.8 HIGH
A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Upgrading to version 0.7.0 is able to address this issue. The name of the patch is a63f559c50d70e8cb2eaae670dec25d1dbc4afcd. It is recommended to upgrade the affected component. The identifier VDB-216765 was assigned to this vulnerability.
CVE-2021-4264 1 Linkedin 1 Dustjs 2024-03-21 N/A 8.8 HIGH
A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is ddb6523832465d38c9d80189e9de60519ac307c3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216464.
CVE-2021-42581 1 Ramdajs 1 Ramda 2024-03-21 6.4 MEDIUM 9.1 CRITICAL
Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes
CVE-2020-36632 1 Flat Project 1 Flat 2024-03-21 N/A 9.8 CRITICAL
A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 is able to address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.
CVE-2023-36665 1 Protobufjs Project 1 Protobufjs 2024-03-19 N/A 9.8 CRITICAL
"protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.5 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty.
CVE-2024-2495 2024-03-15 N/A 5.2 MEDIUM
Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. This vulnerability could allow an attacker to compromise the confidentiality and integrity of encrypted data.
CVE-2023-0842 1 Xml2js Project 1 Xml2js 2024-03-14 N/A 5.3 MEDIUM
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
CVE-2022-2564 1 Mongoosejs 1 Mongoose 2024-03-12 N/A 9.8 CRITICAL
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVE-2024-27307 2024-03-06 N/A 9.8 CRITICAL
JSONata is a JSON query and transformation language. Starting in version 1.4.0 and prior to version 1.8.7 and 2.0.4, a malicious expression can use the transform operator to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. This issue has been fixed in JSONata versions 1.8.7 and 2.0.4. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. As a workaround, one may apply the patch manually.
CVE-2023-26136 1 Salesforce 1 Tough-cookie 2024-02-28 N/A 9.8 CRITICAL
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
CVE-2018-3721 2 Lodash, Netapp 3 Lodash, Active Iq Unified Manager, System Manager 2024-02-16 4.0 MEDIUM 6.5 MEDIUM
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
CVE-2019-11358 11 Backdropcms, Debian, Drupal and 8 more 105 Backdrop, Debian Linux, Drupal and 102 more 2024-02-16 4.3 MEDIUM 6.1 MEDIUM
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2021-23452 1 Binaryops 1 X-assign 2024-02-14 7.5 HIGH 9.8 CRITICAL
This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.
CVE-2021-28860 1 Adaltas 1 Mixme 2024-02-14 6.4 MEDIUM 9.1 CRITICAL
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
CVE-2022-21169 1 Express Xss Sanitizer Project 1 Express Xss Sanitizer 2024-02-14 N/A 6.1 MEDIUM
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
CVE-2023-26135 1 Flatnest Project 1 Flatnest 2024-02-07 N/A 9.8 CRITICAL
All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in the flatnest/nest.js file.