CWE-1321— Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
478 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1321page 3 of 10
- CVE-2021-20085HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-20086HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-20087HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-20088HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-20089HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl 2.3.2 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-21297HIGHCVSS 7.7EG 7.72021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default J…
- CVE-2021-21304HIGHCVSS 7.2EG 7.22021-02-08
Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method i…
- CVE-2021-21368MEDIUMCVSS 6.7EG 6.72021-03-12
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns t…
- CVE-2021-23328MEDIUMCVSS 5.6EG 5.62021-01-29
This affects all versions of package iniparserjs. This vulnerability relates when ini_parser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
- CVE-2021-23329HIGHCVSS 7.5EG 7.52021-01-31
The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.
- CVE-2021-23373HIGHCVSS 7.5EG 9.82022-07-25
All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality.
- CVE-2021-23383MEDIUMCVSS 5.6EG 5.62021-05-04
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
- CVE-2021-23395HIGHCVSS 7.3EG 7.32021-06-15
This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload.
- CVE-2021-23396MEDIUMCVSS 5.6EG 5.62021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
- CVE-2021-23397MEDIUMCVSS 5.6EG 5.62022-07-25
All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.
- CVE-2021-23402HIGHCVSS 7.3EG 7.32021-07-02
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
- CVE-2021-23403HIGHCVSS 7.3EG 7.32021-07-02
All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.
- CVE-2021-23408MEDIUMCVSS 5.4EG 5.42021-07-21
This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.
- CVE-2021-23417MEDIUMCVSS 5.6EG 5.62021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
- CVE-2021-23419HIGHCVSS 7.3EG 7.32021-08-08
This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload.
- CVE-2021-23421MEDIUMCVSS 5.6EG 9.82021-08-11
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.
- CVE-2021-23426MEDIUMCVSS 5.6EG 7.52021-09-01
This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function.
- CVE-2021-23432MEDIUMCVSS 5.4EG 5.42021-08-24
This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()
- CVE-2021-23433MEDIUMCVSS 5.9EG 5.92021-11-19
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note t…
- CVE-2021-23442HIGHCVSS 8.6EG 8.62021-09-17
This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.
- CVE-2021-23448MEDIUMCVSS 6.5EG 9.82021-10-11
All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.
- CVE-2021-23449CRITICALCVSS 9.8EG 9.82021-10-18
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.
- CVE-2021-23450HIGHCVSS 7.5EG 7.52021-12-17
All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
- CVE-2021-23452HIGHCVSS 8.6EG 8.62021-10-20
This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.
- CVE-2021-23460HIGHCVSS 7.5EG 7.52022-01-21
The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.
- CVE-2021-23470HIGHCVSS 8.2EG 8.22022-02-04
This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vul…
- CVE-2021-23497HIGHCVSS 7.5EG 7.52022-02-04
This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/…
- CVE-2021-23507HIGHCVSS 7.5EG 7.52022-02-04
The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://securi…
- CVE-2021-23518HIGHCVSS 7.3EG 7.32022-01-21
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype pro…
- CVE-2021-23543CRITICALCVSS 9.8EG 9.82022-01-10
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
- CVE-2021-23558HIGHCVSS 7.3EG 7.32022-01-28
The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-5…
- CVE-2021-23561MEDIUMCVSS 6.5EG 6.52021-12-10
All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function.
- CVE-2021-23568HIGHCVSS 7.3EG 7.32022-01-10
The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.
- CVE-2021-23574HIGHCVSS 7.5EG 9.82021-12-24
All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655).
- CVE-2021-23594CRITICALCVSS 9.8EG 9.82022-01-10
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
- CVE-2021-23597HIGHCVSS 7.5EG 7.52022-02-11
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULT…
- CVE-2021-23663MEDIUMCVSS 6.5EG 6.52021-12-10
All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function.
- CVE-2021-23682HIGHCVSS 7.3EG 7.32022-02-16
This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not…
- CVE-2021-23700MEDIUMCVSS 6.5EG 6.52021-12-10
All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function.
- CVE-2021-23702HIGHCVSS 7.6EG 9.82022-02-18
The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend.
- CVE-2021-23760MEDIUMCVSS 5.6EG 5.62022-01-28
The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives fr…
- CVE-2021-23771MEDIUMCVSS 6.5EG 6.52022-03-17
This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to…
- CVE-2021-25912CRITICALCVSS 9.8EG 9.82021-02-02
Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.
- CVE-2021-25913CRITICALCVSS 9.8EG 9.82021-02-08
Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25914CRITICALCVSS 9.8EG 9.82021-03-01
Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
Map vulnerabilities like CWE-1321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →