Critical
CVE-2020-28282
Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
Tag: Prototype Pollution
All CVEs associated with "Prototype Pollution". Page 4/4 • 456 CVEs.
Subscribe CVEs: RSS for “Prototype Pollution” · RSS (High+Critical only)
About “Prototype Pollution”
A curated feed of “Prototype Pollution”-related CVEs appears below. We currently track 456 CVEs for this tag (all time). In the last 365 days, 93 were published. Average CVSS is 8.0 (all time; 7.6 over 365d), and 77% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting').
In our taxonomy this topic maps to a MODERATE impact class. Common exploitation patterns for this weakness can lead to moderate. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2020-12-29
Critical
CVE-2020-28281
Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 through 0.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2020-28280
Prototype pollution vulnerability in 'predefine' versions 0.0.0 through 0.1.2 allows an attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2020-28279
Prototype pollution vulnerability in 'flattenizer' versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2020-28278
Prototype pollution vulnerability in 'shvl' versions 1.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2020-28277
Prototype pollution vulnerability in 'dset' versions 1.0.0 through 2.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2020-28276
Prototype pollution vulnerability in 'deep-set' versions 1.0.0 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
2020-12-16
High
CVE-2020-28458
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
2020-12-15
High
CVE-2020-28442
All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn function.
2020-12-11
High
CVE-2020-7792
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing…
2020-12-08
Critical
CVE-2020-28274
Prototype pollution vulnerability in 'deepref' versions 1.1.1 through 1.2.1 allows attacker to cause a denial of service and may lead to remote code execution.
2020-12-02
Critical
CVE-2020-28273
Prototype pollution vulnerability in 'set-in' versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2020-28272
Prototype pollution vulnerability in 'keyget' versions 1.0.0 through 2.2.0 allows attacker to cause a denial of service and may lead to remote code execution.
2020-11-27
High
CVE-2020-26245
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper poll…
2020-11-24
Medium
CVE-2020-26237
Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will…
2020-11-17
High
CVE-2020-7774
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
2020-11-15
High
CVE-2020-28268
Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution.
2020-11-12
Critical
CVE-2020-28271
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2020-28270
Prototype pollution vulnerability in 'object-hierarchy-access' versions 0.2.0 through 0.32.0 allows attacker to cause a denial of service and may lead to remote code execution.
Critical
CVE-2020-28269
Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
Medium
CVE-2020-7770
This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype po…
2020-11-11
High
CVE-2020-7768
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
2020-11-10
High
CVE-2020-7766
This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true.…
High
CVE-2020-28267
Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0 allows attacker to cause a denial of service and may lead to remote code execution.
2020-11-09
High
CVE-2020-8268
Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.
2020-10-29
High
CVE-2020-7746
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) ar…
2020-10-26
Medium
CVE-2020-7751
pathval before version 1.1.1 is vulnerable to prototype pollution.
2020-10-19
High
CVE-2020-15256
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is u…
2020-10-13
High
CVE-2020-7743
The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
2020-10-02
High
CVE-2020-7737
All versions of package safetydance are vulnerable to Prototype Pollution via the set function.
High
CVE-2020-7736
The package bmoor before 0.8.12 are vulnerable to Prototype Pollution via the set function.
2020-09-18
High
CVE-2020-8237
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
Critical
CVE-2020-8158
Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.
2020-09-01
Critical
CVE-2020-7727
All versions of package gedi are vulnerable to Prototype Pollution via the set function.
Critical
CVE-2020-7726
All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.
Critical
CVE-2020-7725
All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.
Critical
CVE-2020-7724
All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function.
Critical
CVE-2020-7723
All versions of package promisehelpers are vulnerable to Prototype Pollution via the insert function.
Critical
CVE-2020-7722
All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function.
Critical
CVE-2020-7721
All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.
Critical
CVE-2020-7720
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
Critical
CVE-2020-7719
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.
Critical
CVE-2020-7718
All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.
Critical
CVE-2020-7717
All versions of package dot-notes are vulnerable to Prototype Pollution via the create function.
Critical
CVE-2020-7716
All versions of package deeps are vulnerable to Prototype Pollution via the set function.
Critical
CVE-2020-7715
All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function.
Critical
CVE-2020-7714
All versions of package confucious are vulnerable to Prototype Pollution via the set function.
Critical
CVE-2020-7713
All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor.
2020-08-18
Critical
CVE-2020-7708
The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.
Critical
CVE-2020-7707
The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.
Critical
CVE-2020-7706
The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.
2020-08-17
Critical
CVE-2020-7704
The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pollution via the constructor.
Critical
CVE-2020-7703
All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.
Critical
CVE-2020-7702
All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.
2020-08-14
Critical
CVE-2020-7701
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
Critical
CVE-2020-7700
All versions of phpjs are vulnerable to Prototype Pollution via parse_str.
2020-07-15
Medium
CVE-2020-15366
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype polluti…
High
CVE-2020-8203
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
2020-06-19
High
CVE-2020-7679
In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.
2020-06-03
High
CVE-2020-7013
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to…
High
CVE-2020-7012
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data…
2020-04-28
High
CVE-2020-7644
fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
2020-04-23
Medium
CVE-2020-7643
paypal-adaptive through 0.4.2 manipulation of JavaScript objects resulting in Prototype Pollution. The PayPal function could be tricked into adding or modifying properties of Object.prototype using a…
2020-04-07
Medium
CVE-2020-7618
sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'.
Medium
CVE-2020-7616
express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitatio…
2020-04-06
Medium
CVE-2020-7639
eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
Medium
CVE-2020-7638
confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
Medium
CVE-2020-7637
class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __pr…
2020-04-03
Critical
CVE-2020-8147
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using…
2020-04-02
Medium
CVE-2020-7617
ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload.
2020-03-20
High
CVE-2020-8136
Prototype pollution vulnerability in fastify-multipart < 1.0.5 allows an attacker to crash fastify applications parsing multipart requests by sending a specially crafted request.
2020-03-12
Medium
CVE-2020-7600
querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused…
2020-03-10
High
CVE-2020-5259
In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language co…
High
CVE-2020-5258
In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language…
2020-02-24
Medium
CVE-2019-10798
rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects resutling in Prototype Pollution. The rdf.Graph.prototype.add method could be tricked into adding or modifying properties of Objec…
2020-02-18
Medium
CVE-2019-10795
undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Medium
CVE-2019-10794
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Medium
CVE-2019-10793
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
Medium
CVE-2019-10792
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
2020-02-04
Critical
CVE-2020-8125
Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona.
High
CVE-2020-8116
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as…
2019-12-20
Critical
CVE-2019-19919
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allo…
2019-11-11
High
CVE-2019-18841
Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.
2019-08-23
Critical
CVE-2019-10750
deeply is vulnerable to Prototype Pollution in versions before 3.1.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using using a _proto_ payload.
Critical
CVE-2019-10747
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the construc…
Critical
CVE-2019-10746
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a co…
2019-08-20
High
CVE-2019-10745
assign-deep is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using ei…
2019-07-26
Critical
CVE-2019-10744
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor pay…
2019-04-20
Medium
CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an e…
2019-02-01
Critical
CVE-2018-16492
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Critical
CVE-2018-16491
A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
High
CVE-2018-16490
A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype.
Critical
CVE-2018-16489
A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions.
Medium
CVE-2018-16487
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Critical
CVE-2018-16486
A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype.
2018-11-06
High
CVE-2018-16472
A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype…