CVE-2026-55091

HIGHPre-NVD 7.57.5
EchelonGraph scoreLOW confidence

This high-severity CVE scores 7.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
7.5
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 7.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key

Summary

convert() builds the nested tree by using each flat record's id and parent field values directly as object keys, with no guard against __proto__ / constructor / prototype. A record whose parent is the string "__proto__" makes temp[parent] resolve to Object.prototype, and the following initPush(...) writes attacker-controlled data onto the global prototype. Any application that passes attacker-influenced records to convert() is affected, and the base prototype methods stay intact so the pollution is stealthy.

### Details In index.js, convert() (FlatToNested.prototype.convert):

  • temp = {} (line 45) and pendingChildOf = {} (line 46) are plain objects, so they inherit from Object.prototype.
  • For each record, parent = flatEl[this.config.parent] (line 51) is taken verbatim from input.
  • Line 57: if (temp[parent] !== undefined) — when parent === "__proto__", temp["__proto__"] resolves via the prototype chain to Object.prototype, which is !== undefined, so the
branch is taken.
  • Line 59: initPush(this.config.children, temp[parent], flatEl) → effectively initPush("children", Object.prototype, flatEl).
  • initPush (lines 4-9): Object.prototype["children"] = [] then Object.prototype["children"].push(flatEl)attacker-controlled data is written onto the global Object.prototype.

There is no sanitization of id / parent anywhere; they flow straight into temp[id], temp[parent], and pendingChildOf[parent] as dynamic keys.

### PoC

const FlatToNested = require('flat-to-nested');

new FlatToNested().convert([ { id: 1, parent: '__proto__', polluted: 'PWNED' } ]);

console.log(({}).children); // => [ { id: 1, polluted: 'PWNED' } ] A freshly-created, unrelated object {} now carries an attacker-controlled children property. ({}).toString === Object.prototype.toString remains true, so existing methods are untouched (stealthy). If the consumer configures a custom children key, that arbitrary prototype property is polluted instead.

### Impact

Prototype pollution (CWE-1321). Any service that builds a tree from attacker-influenced flat records (the package's core purpose — e.g. records derived from a DB/REST/user input) can have Object.prototype polluted. Consequences range from application-logic corruption and denial of service to serving as a gadget toward privilege escalation or RCE depending on downstream sinks. No special privileges or user interaction required; the malicious value is ordinary input data.

### Suggested fix

Use prototype-less lookup tables so inherited keys like __proto__ cannot be reached: var temp = Object.create(null); var pendingChildOf = Object.create(null); (Optionally also reject id/parent values equal to __proto__, constructor, or prototype.) Verified: with Object.create(null) for both temp and pendingChildOf, the PoC no longer pollutes Object.prototype and normal nesting output is unchanged. A patch with a regression test is ready.

CVSS v3
7.5
EG Score
7.5(low)
EPSS
KEV
Not listed

Published

June 19, 2026

Last Modified

June 19, 2026

Vendor Advisories for CVE-2026-55091(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
npm(1)
PackageVulnerable rangeFixed inDependents
flat-to-nested1.1.2

Data Freshness Timeline

(refreshed 15× in last 7d / 38× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 04:57 UTCEG score recompute
  2. 2026-07-06 17:46 UTCEG score recompute
  3. 2026-07-06 06:28 UTCEG score recompute
  4. 2026-07-05 19:18 UTCEG score recompute
  5. 2026-07-05 08:07 UTCEG score recompute
  6. 2026-07-04 20:46 UTCEG score recompute
  7. 2026-07-04 09:35 UTCEG score recompute
  8. 2026-07-03 22:24 UTCEG score recompute
  9. 2026-07-03 11:13 UTCEG score recompute
  10. 2026-07-03 00:02 UTCEG score recompute
  11. 2026-07-02 12:51 UTCEG score recompute
  12. 2026-07-02 01:40 UTCEG score recompute
  13. 2026-07-01 14:29 UTCEG score recompute
  14. 2026-07-01 03:19 UTCEG score recompute
  15. 2026-06-30 16:08 UTCEG score recompute
  16. 2026-06-30 04:57 UTCEG score recompute
  17. 2026-06-29 17:31 UTCEG score recompute
  18. 2026-06-29 06:20 UTCEG score recompute
  19. 2026-06-28 19:07 UTCEG score recompute
  20. 2026-06-28 07:56 UTCEG score recompute
  21. 2026-06-27 20:45 UTCEG score recompute
  22. 2026-06-27 09:35 UTCEG score recompute
  23. 2026-06-26 22:24 UTCEG score recompute
  24. 2026-06-26 11:13 UTCEG score recompute
  25. 2026-06-25 23:10 UTCEG score recompute
Show 13 more
  1. 2026-06-25 11:59 UTCEG score recompute
  2. 2026-06-25 00:49 UTCEG score recompute
  3. 2026-06-24 13:38 UTCEG score recompute
  4. 2026-06-24 02:27 UTCEG score recompute
  5. 2026-06-23 15:16 UTCEG score recompute
  6. 2026-06-23 04:03 UTCEG score recompute
  7. 2026-06-22 16:48 UTCEG score recompute
  8. 2026-06-22 05:32 UTCEG score recompute
  9. 2026-06-21 18:17 UTCEG score recompute
  10. 2026-06-21 07:04 UTCEG score recompute
  11. 2026-06-20 19:49 UTCEG score recompute
  12. 2026-06-20 08:35 UTCEG score recompute
  13. 2026-06-19 21:24 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-55091?
CVE-2026-55091 is a high vulnerability published on June 19, 2026. flat-to-nested: Prototype pollution in flat-to-nested convert() via proto parent/id key Summary convert() builds the nested tree by using each flat record's id and parent field values directly as object keys, with no guard against proto / constructor / prototype. A record whose parent is the string…
When was CVE-2026-55091 disclosed?
CVE-2026-55091 was first published in the National Vulnerability Database on June 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-55091?
CVE-2026-55091 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-55091?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55091, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-55091

Explore →

Is Your Infrastructure Affected by CVE-2026-55091?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.