CWE-1321— Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.— MITRE CWE catalog
508 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1321page 3 of 11
- CVE-2021-20085HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-20086HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq 1.2.1 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-20087HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-20088HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-20089HIGHCVSS 8.8EG 8.82021-04-23
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl 2.3.2 allows a malicious user to inject properties into Object.prototype.
- CVE-2021-21297HIGHCVSS 7.7EG 7.72021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default J…
- CVE-2021-21304HIGHCVSS 7.2EG 7.22021-02-08
Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method i…
- CVE-2021-21368MEDIUMCVSS 6.7EG 6.72021-03-12
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns t…
- CVE-2021-23328MEDIUMCVSS 5.6EG 5.62021-01-29
This affects all versions of package iniparserjs. This vulnerability relates when ini_parser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
- CVE-2021-23329HIGHCVSS 7.5EG 7.52021-01-31
The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.
- CVE-2021-23373HIGHCVSS 7.5EG 9.82022-07-25
All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality.
- CVE-2021-23383MEDIUMCVSS 5.6EG 5.62021-05-04
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
- CVE-2021-23395HIGHCVSS 7.3EG 7.32021-06-15
This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload.
- CVE-2021-23396MEDIUMCVSS 5.6EG 5.62021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
- CVE-2021-23397MEDIUMCVSS 5.6EG 5.62022-07-25
All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.
- CVE-2021-23402HIGHCVSS 7.3EG 7.32021-07-02
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
- CVE-2021-23403HIGHCVSS 7.3EG 7.32021-07-02
All versions of package ts-nodash are vulnerable to Prototype Pollution via the Merge() function due to lack of validation input.
- CVE-2021-23408MEDIUMCVSS 5.4EG 5.42021-07-21
This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or __proto__ payload.
- CVE-2021-23417MEDIUMCVSS 5.6EG 5.62021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
- CVE-2021-23419HIGHCVSS 7.3EG 7.32021-08-08
This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor payload.
- CVE-2021-23421MEDIUMCVSS 5.6EG 9.82021-08-11
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.
- CVE-2021-23426MEDIUMCVSS 5.6EG 7.52021-09-01
This affects all versions of package Proto. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function.
- CVE-2021-23432MEDIUMCVSS 5.4EG 5.42021-08-24
This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge()
- CVE-2021-23433MEDIUMCVSS 5.9EG 5.92021-11-19
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note t…
- CVE-2021-23442HIGHCVSS 8.6EG 8.62021-09-17
This affects all versions of package @cookiex/deep. The global proto object can be polluted using the __proto__ object.
- CVE-2021-23448MEDIUMCVSS 6.5EG 9.82021-10-11
All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.
- CVE-2021-23449CRITICALCVSS 9.8EG 9.82021-10-18
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.
- CVE-2021-23450HIGHCVSS 7.5EG 7.52021-12-17
All versions of package dojo are vulnerable to Prototype Pollution via the setObject function.
- CVE-2021-23452HIGHCVSS 8.6EG 8.62021-10-20
This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.
- CVE-2021-23460HIGHCVSS 7.5EG 7.52022-01-21
The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.
- CVE-2021-23470HIGHCVSS 8.2EG 8.22022-02-04
This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vul…
- CVE-2021-23497HIGHCVSS 7.5EG 7.52022-02-04
This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/…
- CVE-2021-23507HIGHCVSS 7.5EG 7.52022-02-04
The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://securi…
- CVE-2021-23518HIGHCVSS 7.3EG 7.32022-01-21
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype pro…
- CVE-2021-23543CRITICALCVSS 9.8EG 9.82022-01-10
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
- CVE-2021-23558HIGHCVSS 7.3EG 7.32022-01-28
The package bmoor before 0.10.1 are vulnerable to Prototype Pollution due to missing sanitization in set function. **Note:** This vulnerability derives from an incomplete fix in [CVE-2020-7736](https://security.snyk.io/vuln/SNYK-JS-BMOOR-5…
- CVE-2021-23561MEDIUMCVSS 6.5EG 6.52021-12-10
All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function.
- CVE-2021-23568HIGHCVSS 7.3EG 7.32022-01-10
The package extend2 before 1.0.1 are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge.
- CVE-2021-23574HIGHCVSS 7.5EG 9.82021-12-24
All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. This is an incomplete fix of [CVE-2020-28442](https://snyk.io/vuln/SNYK-JS-JSDATA-1023655).
- CVE-2021-23594CRITICALCVSS 9.8EG 9.82022-01-10
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.
- CVE-2021-23597HIGHCVSS 7.5EG 7.52022-02-11
This affects the package fastify-multipart before 5.3.1. By providing a name=constructor property it is still possible to crash the application. **Note:** This is a bypass of CVE-2020-8136 (https://security.snyk.io/vuln/SNYK-JS-FASTIFYMULT…
- CVE-2021-23663MEDIUMCVSS 6.5EG 6.52021-12-10
All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function.
- CVE-2021-23682HIGHCVSS 7.3EG 7.32022-02-16
This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not…
- CVE-2021-23700MEDIUMCVSS 6.5EG 6.52021-12-10
All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function.
- CVE-2021-23702HIGHCVSS 7.6EG 9.82022-02-18
The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend.
- CVE-2021-23760MEDIUMCVSS 5.6EG 5.62022-01-28
The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives fr…
- CVE-2021-23771MEDIUMCVSS 6.5EG 6.52022-03-17
This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to…
- CVE-2021-25912CRITICALCVSS 9.8EG 9.82021-02-02
Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0.1.0 allows attackers to cause a denial of service and may lead to remote code execution.
- CVE-2021-25913CRITICALCVSS 9.8EG 9.82021-02-08
Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25914CRITICALCVSS 9.8EG 9.82021-03-01
Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
Map vulnerabilities like CWE-1321 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1321 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →