CWE-1321— Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
478 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1321page 4 of 10
- CVE-2021-25915CRITICALCVSS 9.8EG 9.82021-03-09
Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25916CRITICALCVSS 9.8EG 9.82021-03-16
Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25927CRITICALCVSS 9.8EG 9.82021-04-26
Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25928CRITICALCVSS 9.8EG 9.82021-04-26
Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25941CRITICALCVSS 9.8EG 9.82021-05-14
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25943CRITICALCVSS 9.8EG 9.82021-05-14
Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25944CRITICALCVSS 9.8EG 9.82021-05-25
Prototype pollution vulnerability in 'deep-defaults' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25945CRITICALCVSS 9.8EG 9.82021-05-26
Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25946CRITICALCVSS 9.8EG 9.82021-05-25
Prototype pollution vulnerability in `nconf-toml` versions 0.0.1 through 0.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25947CRITICALCVSS 9.8EG 9.82021-06-03
Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25948CRITICALCVSS 9.8EG 9.82021-06-10
Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25949CRITICALCVSS 9.8EG 9.82021-06-10
Prototype pollution vulnerability in 'set-getter' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25952CRITICALCVSS 9.8EG 9.82021-07-07
Prototype pollution vulnerability in ‘just-safe-set’ versions 1.0.0 through 2.2.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25953CRITICALCVSS 9.8EG 9.82021-07-14
Prototype pollution vulnerability in 'putil-merge' versions1.0.0 through 3.6.6 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-26505CRITICALCVSS 9.8EG 9.82023-08-11
Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function.
- CVE-2021-26707CRITICALCVSS 9.8EG 9.82021-06-02
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-…
- CVE-2021-27582CRITICALCVSS 9.1EG 9.12021-02-23
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAt…
- CVE-2021-28860CRITICALCVSS 9.1EG 9.12021-05-03
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will …
- CVE-2021-32736HIGHCVSS 7.5EG 7.52021-06-30
think-helper defines a set of helper functions for ThinkJS. In versions of think-helper prior to 1.1.3, the software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, bu…
- CVE-2021-32807MEDIUMCVSS 4.4EG 4.42021-07-30
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. T…
- CVE-2021-32811HIGHCVSS 7.5EG 7.52021-08-02
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.…
- CVE-2021-3645CRITICALCVSS 9.8EG 9.82021-09-10
merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3666CRITICALCVSS 9.8EG 9.82021-09-13
body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3757CRITICALCVSS 9.8EG 9.82021-09-02
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3766CRITICALCVSS 9.8EG 9.82021-09-06
objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3805HIGHCVSS 7.5EG 7.52021-09-17
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3815CRITICALCVSS 9.8EG 9.82021-12-08
utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-3918CRITICALCVSS 9.8EG 9.82021-11-13
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- CVE-2021-39205MEDIUMCVSS 6.8EG 6.82021-09-15
Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incide…
- CVE-2021-39227MEDIUMCVSS 6.2EG 6.22021-09-17
ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular dat…
- CVE-2021-40663CRITICALCVSS 9.8EG 9.82022-06-30
deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
- CVE-2021-41097CRITICALCVSS 9.1EG 9.12021-09-27
aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-…
- CVE-2021-4245MEDIUMCVSS 5.5EG 5.52022-12-15
A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollu…
- CVE-2021-42581CRITICALCVSS 9.1EG 9.12022-05-10
Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to …
- CVE-2021-4264MEDIUMCVSS 6.3EG 6.32022-12-21
A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('proto…
- CVE-2021-4278MEDIUMCVSS 5.5EG 5.52022-12-25
A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). Up…
- CVE-2021-4279MEDIUMCVSS 6.3EG 6.32022-12-25
A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improperly controlled modification of object prototype attributes (…
- CVE-2021-4307MEDIUMCVSS 6.3EG 6.32023-01-07
A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improperly controlled modification of object prototype a…
- CVE-2021-43138HIGHCVSS 7.8EG 7.82022-04-06
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
- CVE-2021-43787CRITICALCVSS 9.0EG 9.02021-11-29
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing…
- CVE-2021-43852HIGHCVSS 8.8EG 8.82022-01-04
OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this inject…
- CVE-2021-43956MEDIUMCVSS 6.1EG 6.12022-03-16
The jQuery deserialize library in Fisheye and Crucible before version 4.8.9 allowed remote attackers to to inject arbitrary HTML and/or JavaScript via a prototype pollution vulnerability.
- CVE-2021-44906CRITICALCVSS 9.8EG 9.82022-03-17
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
- CVE-2021-44908CRITICALCVSS 9.8EG 9.82022-03-17
SailsJS Sails.js <=1.4.0 is vulnerable to Prototype Pollution via controller/load-action-modules.js, function loadActionModules().
- CVE-2022-0432MEDIUMCVSS 6.1EG 6.12022-02-02
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
- CVE-2022-1295CRITICALCVSS 9.8EG 9.82022-04-11
Prototype Pollution in GitHub repository alvarotrigo/fullpage.js prior to 4.0.2.
- CVE-2022-1529HIGHCVSS 8.8EG 8.82022-12-22
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged par…
- CVE-2022-1802HIGHCVSS 8.8EG 8.82022-12-22
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox …
- CVE-2022-21169HIGHCVSS 7.3EG 7.32022-09-26
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
- CVE-2022-21189HIGHCVSS 7.3EG 7.32022-05-01
The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or c…
Map vulnerabilities like CWE-1321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →