Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-25913

Summary
Assigner-Mend
Assigner Org ID-478c68dd-22c1-4a41-97cd-654224dfacff
Published At-08 Feb, 2021 | 21:22
Updated At-03 Aug, 2024 | 20:11
Rejected At-
Credits

Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Mend
Assigner Org ID:478c68dd-22c1-4a41-97cd-654224dfacff
Published At:08 Feb, 2021 | 21:22
Updated At:03 Aug, 2024 | 20:11
Rejected At:
▼CVE Numbering Authority (CNA)

Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.

Affected Products
Vendor
n/a
Product
set-or-get
Versions
Affected
  • 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10
Problem Types
TypeCWE IDDescription
textN/APrototype Pollution
Type: text
CWE ID: N/A
Description: Prototype Pollution
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25913
x_refsource_MISC
https://github.com/IonicaBizau/set-or-get.js/commit/82ede5cccb2e8d13e4f62599203a4389f6d8e936
x_refsource_MISC
Hyperlink: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25913
Resource:
x_refsource_MISC
Hyperlink: https://github.com/IonicaBizau/set-or-get.js/commit/82ede5cccb2e8d13e4f62599203a4389f6d8e936
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25913
x_refsource_MISC
x_transferred
https://github.com/IonicaBizau/set-or-get.js/commit/82ede5cccb2e8d13e4f62599203a4389f6d8e936
x_refsource_MISC
x_transferred
Hyperlink: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25913
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/IonicaBizau/set-or-get.js/commit/82ede5cccb2e8d13e4f62599203a4389f6d8e936
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vulnerabilitylab@mend.io
Published At:08 Feb, 2021 | 22:15
Updated At:08 Aug, 2023 | 14:22

Prototype pollution vulnerability in 'set-or-get' version 1.0.0 through 1.2.10 allows an attacker to cause a denial of service and may lead to remote code execution.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
set-or-get_project
set-or-get_project
>>set-or-get>>Versions from 1.0.0(inclusive) to 1.2.10(inclusive)
cpe:2.3:a:set-or-get_project:set-or-get:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-1321Primarynvd@nist.gov
CWE ID: CWE-1321
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/IonicaBizau/set-or-get.js/commit/82ede5cccb2e8d13e4f62599203a4389f6d8e936vulnerabilitylab@mend.io
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25913vulnerabilitylab@mend.io
Exploit
Third Party Advisory
Hyperlink: https://github.com/IonicaBizau/set-or-get.js/commit/82ede5cccb2e8d13e4f62599203a4389f6d8e936
Source: vulnerabilitylab@mend.io
Resource:
Patch
Third Party Advisory
Hyperlink: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25913
Source: vulnerabilitylab@mend.io
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

216Records found
CVE-2021-23760
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.6||MEDIUM
EPSS-2.43% / 85.30%
||
7 Day CHG~0.00%
Published-28 Jan, 2022 | 21:31
Updated-17 Sep, 2024 | 01:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix to [CVE-2020-28272](https://security.snyk.io/vuln/SNYK-JS-KEYGET-1048048)

Action-Not Available
Vendor-keyget_projectn/a
Product-keygetn/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23421
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.6||MEDIUM
EPSS-0.53% / 67.41%
||
7 Day CHG~0.00%
Published-11 Aug, 2021 | 17:30
Updated-17 Sep, 2024 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.

Action-Not Available
Vendor-merge-change_projectn/a
Product-merge-changemerge-change
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23470
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-8.2||HIGH
EPSS-1.46% / 81.01%
||
7 Day CHG~0.00%
Published-04 Feb, 2022 | 20:05
Updated-16 Sep, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077

Action-Not Available
Vendor-putil-merge_projectn/a
Product-putil-mergeputil-merge
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23700
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.5||MEDIUM
EPSS-0.48% / 65.13%
||
7 Day CHG~0.00%
Published-10 Dec, 2021 | 20:05
Updated-16 Sep, 2024 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function.

Action-Not Available
Vendor-merge-deep2_projectn/a
Product-merge-deep2merge-deep2
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23543
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.56% / 68.36%
||
7 Day CHG~0.00%
Published-07 Jan, 2022 | 20:05
Updated-16 Sep, 2024 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sandbox Bypass

All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.

Action-Not Available
Vendor-agoricn/a
Product-realms-shimrealms-shim
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23448
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.5||MEDIUM
EPSS-0.44% / 63.54%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 20:15
Updated-16 Sep, 2024 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.

Action-Not Available
Vendor-config-handler_projectn/a
Product-config-handlerconfig-handler
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23433
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.9||MEDIUM
EPSS-0.24% / 46.45%
||
7 Day CHG~0.00%
Published-19 Nov, 2021 | 19:25
Updated-16 Sep, 2024 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

Action-Not Available
Vendor-algolian/a
Product-algoliasearch-helperalgoliasearch-helper
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23702
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.6||HIGH
EPSS-0.38% / 59.62%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 20:00
Updated-17 Sep, 2024 | 03:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package object-extend from 0.0.0 are vulnerable to Prototype Pollution via object-extend.

Action-Not Available
Vendor-object-extend_projectn/a
Product-object-extendobject-extend
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23518
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-0.65% / 70.98%
||
7 Day CHG~0.00%
Published-21 Jan, 2022 | 20:05
Updated-16 Sep, 2024 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative path. When using the origin path as __proto__, the attribute of the object is accessed instead of a path. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573

Action-Not Available
Vendor-cached-path-relative_projectn/aDebian GNU/Linux
Product-cached-path-relativedebian_linuxcached-path-relative
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-8116
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-7.3||HIGH
EPSS-0.76% / 73.60%
||
7 Day CHG~0.00%
Published-04 Feb, 2020 | 19:08
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.

Action-Not Available
Vendor-dot-prop_projectn/a
Product-dot-propdot-prop
CWE ID-CWE-471
Modification of Assumed-Immutable Data (MAID)
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-8158
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.28% / 51.83%
||
7 Day CHG~0.00%
Published-18 Sep, 2020 | 20:12
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.

Action-Not Available
Vendor-typeormn/a
Product-typeormtypeorm
CWE ID-CWE-471
Modification of Assumed-Immutable Data (MAID)
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7737
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-0.39% / 60.22%
||
7 Day CHG~0.00%
Published-02 Oct, 2020 | 09:30
Updated-16 Sep, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package safetydance are vulnerable to Prototype Pollution via the set function.

Action-Not Available
Vendor-safetydance_projectn/a
Product-safetydancesafetydance
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7719
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.72% / 82.58%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:30
Updated-17 Sep, 2024 | 01:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.

Action-Not Available
Vendor-locutusn/a
Product-locutuslocutus
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7736
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-0.85% / 75.05%
||
7 Day CHG~0.00%
Published-02 Oct, 2020 | 09:25
Updated-16 Sep, 2024 | 18:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package bmoor before 0.8.12 are vulnerable to Prototype Pollution via the set function.

Action-Not Available
Vendor-bmoor_projectn/a
Product-bmoorbmoor
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7702
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 61.46%
||
7 Day CHG~0.00%
Published-17 Aug, 2020 | 13:50
Updated-16 Sep, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.

Action-Not Available
Vendor-templ8_projectn/a
Product-templ8Templ8
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7718
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 61.46%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:25
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package gammautils are vulnerable to Prototype Pollution via the deepSet and deepMerge functions.

Action-Not Available
Vendor-gammautils_projectn/a
Product-gammautilsgammautils
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7700
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 61.46%
||
7 Day CHG~0.00%
Published-14 Aug, 2020 | 15:05
Updated-16 Sep, 2024 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of phpjs are vulnerable to Prototype Pollution via parse_str.

Action-Not Available
Vendor-php.js_projectn/a
Product-php.jsphpjs
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7726
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.93%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:50
Updated-17 Sep, 2024 | 00:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package safe-object2 are vulnerable to Prototype Pollution via the setter function.

Action-Not Available
Vendor-safe-object2_projectn/a
Product-safe-object2safe-object2
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7716
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 63.71%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:20
Updated-17 Sep, 2024 | 03:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package deeps are vulnerable to Prototype Pollution via the set function.

Action-Not Available
Vendor-invertasen/a
Product-deepsdeeps
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7699
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.5||HIGH
EPSS-4.09% / 88.69%
||
7 Day CHG~0.00%
Published-30 Jul, 2020 | 09:05
Updated-17 Sep, 2024 | 03:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

Action-Not Available
Vendor-express-fileupload_projectn/aNetApp, Inc.
Product-max_dataexpress-fileuploadexpress-fileupload
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7768
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.5||HIGH
EPSS-1.32% / 80.07%
||
7 Day CHG~0.00%
Published-11 Nov, 2020 | 10:20
Updated-17 Sep, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.

Action-Not Available
Vendor-grpcn/a
Product-grpc@grpc/grpc-jsgrpc
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7708
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.08% / 78.09%
||
7 Day CHG~0.00%
Published-18 Aug, 2020 | 14:35
Updated-16 Sep, 2024 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package irrelon-path before 4.7.0; the package @irrelon/path before 4.7.0 are vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.

Action-Not Available
Vendor-irrelonn/a
Product-irrelon-path\@irrelon\/pathirrelon-path@irrelon/path
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7792
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.5||HIGH
EPSS-0.98% / 76.98%
||
7 Day CHG~0.00%
Published-11 Dec, 2020 | 11:05
Updated-17 Sep, 2024 | 02:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

Action-Not Available
Vendor-moutjsn/a
Product-moutmout
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7715
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.80% / 74.14%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:20
Updated-16 Sep, 2024 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function.

Action-Not Available
Vendor-deep-get-set_projectn/a
Product-deep-get-setdeep-get-set
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7703
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 61.46%
||
7 Day CHG~0.00%
Published-17 Aug, 2020 | 14:50
Updated-16 Sep, 2024 | 22:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.

Action-Not Available
Vendor-nis-utils_projectn/a
Product-nis-utilsnis-utils
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7766
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-1.06% / 77.88%
||
7 Day CHG~0.00%
Published-10 Nov, 2020 | 15:35
Updated-16 Sep, 2024 | 22:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects all versions of package json-ptr. The issue occurs in the set operation (https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.htmlset) when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.

Action-Not Available
Vendor-json-ptr_projectn/a
Product-json-ptrjson-ptr
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7727
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.93%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:50
Updated-16 Sep, 2024 | 17:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package gedi are vulnerable to Prototype Pollution via the set function.

Action-Not Available
Vendor-gedi_projectn/a
Product-gedigedi
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7701
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.10% / 78.28%
||
7 Day CHG~0.00%
Published-14 Aug, 2020 | 15:10
Updated-17 Sep, 2024 | 01:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.

Action-Not Available
Vendor-springtreen/a
Product-madlib-object-utilsmadlib-object-utils
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7617
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-4.4||MEDIUM
EPSS-0.23% / 46.28%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 18:00
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload.

Action-Not Available
Vendor-ini-parser_projectrawiroaisen
Product-ini-parserini-parser
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7706
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.72% / 82.58%
||
7 Day CHG~0.00%
Published-18 Aug, 2020 | 09:20
Updated-16 Sep, 2024 | 16:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package connie-lang before 0.1.1 are vulnerable to Prototype Pollution in the configuration language library used by connie.

Action-Not Available
Vendor-connie-lang_projectn/a
Product-connie-langconnie-lang
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7771
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.5||HIGH
EPSS-0.45% / 63.71%
||
7 Day CHG~0.00%
Published-04 Jan, 2021 | 11:50
Updated-17 Sep, 2024 | 02:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package asciitable.js before 1.0.3 are vulnerable to Prototype Pollution via the main function.

Action-Not Available
Vendor-asciitable.js_projectn/a
Product-asciitable.jsasciitable.js
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7707
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-2.09% / 84.19%
||
7 Day CHG~0.00%
Published-18 Aug, 2020 | 13:40
Updated-16 Sep, 2024 | 22:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function.

Action-Not Available
Vendor-property-expr_projectn/a
Product-property-exprproperty-expr
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7743
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-1.68% / 82.38%
||
7 Day CHG~0.00%
Published-13 Oct, 2020 | 09:15
Updated-16 Sep, 2024 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package mathjs before 7.5.1 are vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.

Action-Not Available
Vendor-mathjsn/a
Product-mathjsmathjs
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7724
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.93%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:45
Updated-16 Sep, 2024 | 23:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function.

Action-Not Available
Vendor-tiny-conf_projectn/a
Product-tiny-conftiny-conf
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7725
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.93%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:50
Updated-16 Sep, 2024 | 22:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package worksmith are vulnerable to Prototype Pollution via the setValue function.

Action-Not Available
Vendor-guidesmithsn/a
Product-worksmithworksmith
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7717
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 61.46%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:25
Updated-16 Sep, 2024 | 23:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package dot-notes are vulnerable to Prototype Pollution via the create function.

Action-Not Available
Vendor-dot-notes_projectn/a
Product-dot-notesdot-notes
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7774
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-0.47% / 64.72%
||
7 Day CHG~0.00%
Published-17 Nov, 2020 | 12:30
Updated-16 Sep, 2024 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Action-Not Available
Vendor-y18n_projectn/aOracle CorporationSiemens AG
Product-y18nsinec_infrastructure_network_servicesgraalvmy18n
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7721
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 61.46%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:40
Updated-16 Sep, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package node-oojs are vulnerable to Prototype Pollution via the setPath function.

Action-Not Available
Vendor-node-oojs_projectn/a
Product-node-oojsnode-oojs
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7788
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-0.29% / 52.56%
||
7 Day CHG~0.00%
Published-11 Dec, 2020 | 10:45
Updated-16 Sep, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Action-Not Available
Vendor-ini_projectn/aDebian GNU/Linux
Product-inidebian_linuxini
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7746
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.47%
||
7 Day CHG~0.00%
Published-29 Oct, 2020 | 08:05
Updated-16 Sep, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.

Action-Not Available
Vendor-chartjsn/a
Product-chart.jschart.js
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7770
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.5||MEDIUM
EPSS-0.33% / 56.28%
||
7 Day CHG~0.00%
Published-12 Nov, 2020 | 10:15
Updated-16 Sep, 2024 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects the package json8 before 1.0.3. The function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.

Action-Not Available
Vendor-json8_projectn/a
Product-json8json8
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7713
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 61.46%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 09:10
Updated-16 Sep, 2024 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

All versions of package arr-flatten-unflatten are vulnerable to Prototype Pollution via the constructor.

Action-Not Available
Vendor-arr-flatten-unflatten_projectn/a
Product-arr-flatten-unflattenarr-flatten-unflatten
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2025-61140
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 21.13%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 00:00
Updated-09 Feb, 2026 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.

Action-Not Available
Vendor-dchestern/a
Product-jsonpathn/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2025-66456
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.16% / 36.59%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 19:43
Updated-17 Dec, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elysia vulnerable to prototype pollution with multiple standalone schema validation

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.

Action-Not Available
Vendor-elysiajselysiajs
Product-elysiaelysia
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2025-63704
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 17.84%
||
7 Day CHG+0.04%
Published-07 May, 2026 | 00:00
Updated-08 May, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2019-19919
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-24.75% / 96.20%
||
7 Day CHG~0.00%
Published-20 Dec, 2019 | 22:50
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Action-Not Available
Vendor-handlebars.js_projectn/aTenable, Inc.
Product-handlebars.jstenable.scn/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2025-57321
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.14% / 33.14%
||
7 Day CHG~0.00%
Published-24 Sep, 2025 | 00:00
Updated-17 Oct, 2025 | 13:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.

Action-Not Available
Vendor-magix-combine-ex_projectn/a
Product-magix-combine-exn/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2025-57347
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.18% / 39.55%
||
7 Day CHG~0.00%
Published-24 Sep, 2025 | 00:00
Updated-17 Oct, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution vulnerabilities by injecting malicious input values (e.g., "__proto__"), enabling unauthorized modification of the JavaScript Object prototype chain. Successful exploitation could lead to denial of service conditions, unexpected application behavior, or potential execution of arbitrary code in contexts where polluted properties are later accessed or executed. The issue affects versions prior to 7.0.11 and remains unpatched at the time of disclosure.

Action-Not Available
Vendor-tbo47n/a
Product-dagre-d3-esn/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2025-63703
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 18.86%
||
7 Day CHG+0.04%
Published-07 May, 2026 | 00:00
Updated-08 May, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2023-46308
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.15% / 35.70%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 00:00
Updated-24 Dec, 2025 | 06:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.

Action-Not Available
Vendor-plotlyn/a
Product-plotly.jsn/a
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found