Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-13465

Summary
Assigner-openjs
Assigner Org ID-ce714d77-add3-4f53-aff5-83d477b104bb
Published At-21 Jan, 2026 | 19:05
Updated At-21 Jan, 2026 | 19:43
Rejected At-
Credits

Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:openjs
Assigner Org ID:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:21 Jan, 2026 | 19:05
Updated At:21 Jan, 2026 | 19:43
Rejected At:
▼CVE Numbering Authority (CNA)
Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Affected Products
Vendor
Lodash
Product
Lodash
Package Name
lodash
Repo
https://github.com/lodash/lodash
Modules
  • https://github.com/lodash/lodash
Default Status
unaffected
Versions
Affected
  • From 4.0.0 through 4.17.22 (semver)
Vendor
Lodash-amd
Product
Lodash-amd
Repo
https://github.com/lodash/lodash
Modules
  • https://github.com/lodash/lodash
Default Status
unaffected
Versions
Affected
  • From 4.0.0 through 4.17.22 (semver)
Vendor
lodash-es
Product
lodash-es
Repo
https://github.com/lodash/lodash
Modules
  • https://github.com/lodash/lodash
Default Status
unaffected
Versions
Affected
  • From 4.0.0 through 4.17.22 (semver)
Vendor
lodash.unset
Product
lodash.unset
Repo
https://github.com/lodash/lodash
Modules
  • https://github.com/lodash/lodash
Default Status
unaffected
Versions
Affected
  • 4.0.0
Problem Types
TypeCWE IDDescription
CWECWE-1321CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Type: CWE
CWE ID: CWE-1321
Description: CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-77CAPEC-77 Manipulating User-Controlled Variables
CAPEC ID: CAPEC-77
Description: CAPEC-77 Manipulating User-Controlled Variables
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Lukas Euler
analyst
Jordan Harband
remediation reviewer
Michał Lipiński
remediation developer
Ulises Gascón
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
N/A
Hyperlink: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ce714d77-add3-4f53-aff5-83d477b104bb
Published At:21 Jan, 2026 | 20:16
Updated At:17 Feb, 2026 | 17:10

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
lodash
lodash
>>lodash>>Versions from 4.0.0(inclusive) to 4.17.23(exclusive)
cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-1321Secondaryce714d77-add3-4f53-aff5-83d477b104bb
CWE ID: CWE-1321
Type: Secondary
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpgce714d77-add3-4f53-aff5-83d477b104bb
Vendor Advisory
Hyperlink: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
Source: ce714d77-add3-4f53-aff5-83d477b104bb
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

17Records found
CVE-2019-10744
Matching Score-6
Assigner-Snyk
ShareView Details
Matching Score-6
Assigner-Snyk
CVSS Score-9.1||CRITICAL
EPSS-2.44% / 84.87%
||
7 Day CHG~0.00%
Published-25 Jul, 2019 | 23:43
Updated-04 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Action-Not Available
Vendor-lodashSnykF5, Inc.Red Hat, Inc.NetApp, Inc.Oracle Corporation
Product-big-ip_webacceleratorbig-ip_application_acceleration_managerbig-ip_policy_enforcement_managerbig-ip_fraud_protection_servicelodashactive_iq_unified_managerbig-ip_global_traffic_managerbig-ip_local_traffic_managerbig-ip_analyticsbig-ip_domain_name_systemiworkflowbig-ip_application_security_managerbig-ip_edge_gatewaybig-ip_link_controllervirtualization_managerbig-iq_centralized_managementbig-ip_application_visibility_and_reportingbig-ip_access_policy_managerservice_level_managerbanking_extensibility_workbenchbig-ip_advanced_firewall_managerlodash
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2018-3721
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 48.26%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

Action-Not Available
Vendor-lodashNetApp, Inc.HackerOne
Product-system_manageractive_iq_unified_managerlodashlodash node module
CWE ID-CWE-471
Modification of Assumed-Immutable Data (MAID)
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-8203
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.4||HIGH
EPSS-2.61% / 85.35%
||
7 Day CHG-0.69%
Published-15 Jul, 2020 | 16:10
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Action-Not Available
Vendor-lodashn/aOracle Corporation
Product-peoplesoft_enterprise_peopletoolscommunications_billing_and_revenue_managementprimavera_gatewaylodashbanking_extensibility_workbenchcommunications_cloud_native_core_policybanking_virtual_account_managementbanking_trade_finance_process_managementbanking_supply_chain_financeblockchain_platformbanking_liquidity_managementcommunications_subscriber-aware_load_balancerbanking_corporate_lending_process_managementbanking_credit_facilities_process_managementcommunications_session_border_controllerenterprise_communications_brokerjd_edwards_enterpriseone_toolscommunications_session_routerlodash
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2025-64718
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 5.01%
||
7 Day CHG~0.00%
Published-13 Nov, 2025 | 15:32
Updated-02 Feb, 2026 | 12:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
js-yaml has prototype pollution in merge (<<)

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

Action-Not Available
Vendor-nodecanodeca
Product-js-yamljs-yaml
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7637
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 54.43%
||
7 Day CHG~0.00%
Published-06 Apr, 2020 | 12:34
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

class-transformer before 0.3.1 allow attackers to perform Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Action-Not Available
Vendor-class-transformer_projectn/a
Product-class-transformerclass-transformer
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7643
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 54.43%
||
7 Day CHG~0.00%
Published-23 Apr, 2020 | 13:23
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

paypal-adaptive through 0.4.2 manipulation of JavaScript objects resulting in Prototype Pollution. The PayPal function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

Action-Not Available
Vendor-idean/a
Product-paypal-adaptivepaypal-adaptive
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7616
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 54.43%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 13:16
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by `express-mock-middleware`. As such, this is considered to be a low risk.

Action-Not Available
Vendor-express-mock-middleware_projectn/a
Product-express-mock-middlewareexpress-mock-middleware
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7600
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 54.58%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 22:25
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

Action-Not Available
Vendor-querymen_projectn/a
Product-querymenquerymen
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7639
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 55.07%
||
7 Day CHG~0.00%
Published-06 Apr, 2020 | 12:48
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function 'set' could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.

Action-Not Available
Vendor-dot_projectn/a
Product-dot@eivifj/dot
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7638
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-0.35% / 56.85%
||
7 Day CHG~0.00%
Published-06 Apr, 2020 | 12:38
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.

Action-Not Available
Vendor-confinit_projectn/a
Product-confinitconfinit
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2020-7618
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 54.43%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 13:22
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'.

Action-Not Available
Vendor-sds_projectn/a
Product-sdssds
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2023-0842
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 45.65%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-03 Dec, 2025 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xml2js 0.4.23 - Prototype Pollution

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Action-Not Available
Vendor-xml2js_projectn/a
Product-xml2jsxml2js
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2022-42743
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 53.96%
||
7 Day CHG~0.00%
Published-03 Nov, 2022 | 00:00
Updated-03 Dec, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
deep-parse-json 1.0.2 - Prototype Pollution

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.

Action-Not Available
Vendor-deep-parse-json_projectn/a
Product-deep-parse-jsondeep-parse-json
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2021-23395
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-0.22% / 44.82%
||
7 Day CHG~0.00%
Published-15 Jun, 2021 | 19:12
Updated-16 Sep, 2024 | 23:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a __proto__ or constructor.prototype payload.

Action-Not Available
Vendor-nedb_projectn/a
Product-nedbnedb
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2022-41713
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 29.61%
||
7 Day CHG~0.00%
Published-03 Nov, 2022 | 00:00
Updated-03 Dec, 2025 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
deep-object-diff 1.1.0 - Prototype Pollution

deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.

Action-Not Available
Vendor-deep-object-diff_projectn/a
Product-deep-object-diffdeep-object-diff
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2022-41714
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 53.96%
||
7 Day CHG~0.00%
Published-03 Nov, 2022 | 00:00
Updated-03 Dec, 2025 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
fastest-json-copy 1.0.1 - Prototype Pollution

fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.

Action-Not Available
Vendor-fastest-json-copy_projectn/a
Product-fastest-json-copyfastest-json-copy
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2022-36059
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-1.14% / 78.10%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 20:32
Updated-18 Feb, 2025 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype pollution in matrix-js-sdk

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible.

Action-Not Available
Vendor-The Matrix.org Foundation
Product-javascript_sdkmatrix-js-sdk
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Details not found