Critical
CVE-2022-39396
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code…
Tag: Prototype Pollution
All CVEs associated with "Prototype Pollution". Page 3/4 • 456 CVEs.
Subscribe CVEs: RSS for “Prototype Pollution” · RSS (High+Critical only)
About “Prototype Pollution”
A curated feed of “Prototype Pollution”-related CVEs appears below. We currently track 456 CVEs for this tag (all time). In the last 365 days, 93 were published. Average CVSS is 8.0 (all time; 7.6 over 365d), and 77% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting').
In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2022-11-10
2022-10-31
Critical
CVE-2022-37623
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.
2022-10-28
Critical
CVE-2022-37621
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js.
2022-10-26
High
CVE-2022-39357
Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the mai…
2022-10-20
Critical
CVE-2022-37598
Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.
2022-10-14
Critical
CVE-2022-37602
Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js.
2022-10-12
Critical
CVE-2022-37601
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.
Critical
CVE-2022-37614
Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js.
Critical
CVE-2022-37611
Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js.
2022-10-11
Critical
CVE-2022-37617
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js.
Critical
CVE-2022-37609
Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js.
Critical
CVE-2022-37616
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we…
2022-09-26
High
CVE-2022-21169
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
2022-09-20
Critical
CVE-2022-37265
Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js.
2022-09-16
Critical
CVE-2022-37258
Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js.
2022-09-15
Critical
CVE-2022-37264
Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js.
Critical
CVE-2022-37266
Prototype pollution vulnerability in function extend in babel.js in stealjs steal 2.2.4 via the key variable in babel.js.
Critical
CVE-2022-37257
Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js.
2022-08-09
High
CVE-2022-25907
The package ts-deepmerge before 2.0.2 are vulnerable to Prototype Pollution due to missing sanitization of the merge function.
2022-07-28
Critical
CVE-2022-2564
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
2022-07-25
Medium
CVE-2021-23397
All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.
High
CVE-2021-23373
All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality.
2022-06-30
Critical
CVE-2021-40663
deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
2022-06-28
High
CVE-2022-31106
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An att…
2022-06-24
High
CVE-2022-21231
All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.sny…
2022-06-17
Medium
CVE-2022-25871
All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This v…
2022-05-27
High
CVE-2022-25878
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways:…
2022-05-01
High
CVE-2022-25301
All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor…
Medium
CVE-2022-25645
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, c…
High
CVE-2022-22143
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of…
High
CVE-2022-21189
The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check…
2022-04-15
High
CVE-2022-24279
The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability der…
2022-04-12
High
CVE-2022-21803
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for set…
2022-04-11
Critical
CVE-2022-1295
Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2.
2022-04-06
High
CVE-2021-43138
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
2022-04-01
High
CVE-2022-24802
deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecor…
2022-03-22
Critical
CVE-2022-26260
Simple-Plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse().
2022-03-17
Critical
CVE-2021-44906
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
High
CVE-2022-25354
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an i…
High
CVE-2022-25352
The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://sec…
Medium
CVE-2022-25296
The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.…
Critical
CVE-2021-44908
SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules().
Medium
CVE-2021-23771
This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to t…
2022-03-16
Medium
CVE-2021-43956
The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.
2022-03-12
Critical
CVE-2022-24760
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in th…
2022-03-02
Medium
CVE-2022-23395
jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS).
2022-02-24
High
CVE-2022-21824
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object wit…
2022-02-18
High
CVE-2021-23702
The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend.
2022-02-17
Critical
CVE-2022-22912
Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.
2022-02-16
High
CVE-2021-23682
This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key…
2022-02-04
High
CVE-2021-23507
The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives…
2022-02-02
Medium
CVE-2022-0432
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
2022-01-28
Medium
CVE-2021-23760
The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution.…
High
CVE-2021-23558
The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https…
2022-01-21
High
CVE-2021-23518
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which a…
High
CVE-2021-23460
The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.
2022-01-10
Critical
CVE-2021-23594
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
High
CVE-2021-23568
The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.
Critical
CVE-2021-23543
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
2022-01-04
High
CVE-2021-43852
OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct protot…
2021-12-24
High
CVE-2021-23574
All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-10236…
2021-12-17
High
CVE-2021-23450
All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
2021-12-10
Medium
CVE-2021-23700
All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function.
Medium
CVE-2021-23663
All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function.
Medium
CVE-2021-23561
All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function.
2021-12-08
Critical
CVE-2021-3815
utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
2021-11-29
Critical
CVE-2021-43787
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascri…
2021-11-19
Medium
CVE-2021-23433
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protect…
2021-11-13
Critical
CVE-2021-3918
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
2021-11-03
Medium
CVE-2021-23807
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.
2021-10-18
Critical
CVE-2021-23449
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.
2021-10-11
Medium
CVE-2021-23448
All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.
2021-09-27
Critical
CVE-2021-41097
aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes…
2021-09-17
Medium
CVE-2021-39227
ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototy…
High
CVE-2021-3805
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
2021-09-13
Critical
CVE-2021-3666
body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
2021-09-10
Critical
CVE-2021-3645
merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
2021-09-06
Critical
CVE-2021-3766
objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
2021-09-02
Critical
CVE-2021-3757
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
2021-08-11
Medium
CVE-2021-23421
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.
2021-07-28
Medium
CVE-2021-23417
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
2021-07-14
Critical
CVE-2021-25953
Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.
2021-07-07
Critical
CVE-2021-25952
Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.
2021-07-02
High
CVE-2021-23403
All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.
High
CVE-2021-23402
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
2021-06-17
Medium
CVE-2021-23396
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
2021-06-16
High
CVE-2020-24939
Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.
2021-06-10
Critical
CVE-2021-25949
Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2021-25948
Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
2021-06-03
Critical
CVE-2021-25947
Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.
2021-05-26
Critical
CVE-2021-25945
Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
2021-05-25
Critical
CVE-2021-25946
Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2021-25944
Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.
2021-05-14
Critical
CVE-2021-25943
Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2021-25941
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
2021-05-04
Medium
CVE-2021-23383
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
2021-04-26
Critical
CVE-2021-25928
Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2021-25927
Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
2021-04-23
High
CVE-2021-20089
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl 2.3.2 allows a malicious user to inject properties into Object.prototype.
High
CVE-2021-20086
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
High
CVE-2021-20085
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.
High
CVE-2021-20083
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype.
High
CVE-2021-20088
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype.
High
CVE-2021-20087
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype.
High
CVE-2021-20084
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-sparkle 1.5.2-beta allows a malicious user to inject properties into Object.prototype.
2021-03-23
High
CVE-2020-28503
The package copy-props before 2.0.5 are vulnerable to Prototype Pollution via the main functionality.
2021-03-16
Critical
CVE-2021-25916
Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
2021-03-12
Medium
CVE-2021-21368
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map co…
2021-03-09
Critical
CVE-2021-25915
Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution.
2021-03-01
Critical
CVE-2021-25914
Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
2021-02-26
High
CVE-2021-21297
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request c…
2021-02-18
High
CVE-2020-28499
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
2021-02-08
Critical
CVE-2021-25913
Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.
High
CVE-2021-21304
Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method…
2021-02-02
Critical
CVE-2021-25912
Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.
High
CVE-2020-28495
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, l…
2021-01-31
High
CVE-2021-23329
The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.
2021-01-19
High
CVE-2020-28480
The package jointjs before 3.3.0 are vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the obje…
2021-01-04
High
CVE-2020-7771
The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.
2020-12-29
Critical
CVE-2020-28283
Prototype pollution vulnerability in 'libnested' versions 0.0.0 through 1.5.0 allows an attacker to cause a denial of service and may lead to remote code execution.