GHSA-vpmm-x3fm-qr5cMedium

jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()

Published
June 18, 2026
Last Modified
June 18, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Jodit.modules.Helpers.set(chain, value, obj) walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype (prototype pollution).

Affected

  • Package: jodit (npm)
  • Versions: < 4.12.26
  • Public API: Jodit.modules.Helpers.set(chain, value, obj)

Proof of Concept

const { Jodit } = require('jodit');
delete Object.prototype.polluted;
Jodit.modules.Helpers.set('__proto__.polluted', 'yes', {});
console.log(({}).polluted); // "yes" (before the fix)
delete Object.prototype.polluted;

Impact

Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.

Patch

Fixed in 4.12.26 by rejecting any chain whose segments include __proto__, constructor, or prototype, reusing the same guard introduced for Jodit.configure() in 4.12.18.

Credit

Responsibly reported by Junming Wu.

🎯 Affected products1

  • npm/jodit:< 4.12.26

🔗 References (2)