Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-1321 — Vulnerability Class 161

161 vulnerabilities classified as CWE-1321. AI Chinese analysis included.

CWE-1321 represents a critical vulnerability where applications fail to restrict modifications to an object’s prototype attributes, allowing attackers to inject malicious properties into the global prototype chain. This weakness is typically exploited by crafting specific input payloads that target JavaScript objects, enabling the injection of arbitrary keys such as constructor or prototype references. Successful exploitation can lead to severe consequences, including remote code execution, denial of service, or privilege escalation, as the injected properties affect all subsequent instances of the affected object. To mitigate this risk, developers must implement strict input validation, utilize libraries that freeze prototypes, or employ object creation methods that do not inherit from the global prototype, such as Object.create(null). Additionally, avoiding the use of unsafe recursive merge functions and sanitizing user-controlled data before processing are essential practices for preventing prototype pollution attacks in modern web applications.

MITRE CWE Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Common Consequences (2)
Confidentiality, Integrity, AvailabilityRead Application Data, Modify Application Data
This weakness is usually exploited by using a special attribute of objects called proto, constructor, or prototype. Such attributes give access to the object prototype. An attacker can inject attributes that are used in other components by adding or modifying attributes of an object prototype. This …
AvailabilityDoS: Crash, Exit, or Restart
An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.
Mitigations (5)
ImplementationBy freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Effectiveness: High
Architecture and DesignBy blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Effectiveness: High
ImplementationWhen handling untrusted objects, validating using a schema can be used.
Effectiveness: Limited
ImplementationBy using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Effectiveness: High
ImplementationMap can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
Effectiveness: Moderate
Examples (1)
This function sets object attributes based on a dot-separated path.
function setValueByPath (object, path, value) { const pathArray = path.split("."); const attributeToSet = pathArray.pop(); let objectToModify = object; for (const attr of pathArray) { if (typeof objectToModify[attr] !== 'object') { objectToModify[attr] = {}; } objectToModify = objectToModify[attr]; } objectToModify[attributeToSet] = value; return object; }
Bad · JavaScript
setValueByPath({}, "__proto__.isAdmin", true) setValueByPath({}, "constructor.prototype.isAdmin", true)
Bad · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2026-49252 deepstream is vulnerable to prototype pollution — deepstream.io 9.9 Critical2026-06-18
CVE-2026-53676 ThingsBoard 输入验证错误漏洞 — ThingsBoard--2026-06-17
CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names — i18next-http-middleware 9.1 Critical2026-06-15
CVE-2026-48713 i18next-fs-backend: Prototype pollution via crafted missing-key string — i18next-fs-backend 9.1 Critical2026-06-15
CVE-2026-12209 RubyLouvre avalon Template Filter index.js prototype pollution — avalon 5.3 Medium2026-06-15
CVE-2026-12208 jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution — jsonata 5.3 Medium2026-06-15
CVE-2026-53609 Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass — apostrophe 9.1 Critical2026-06-12
CVE-2026-44490 Axios: DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions — axios 4.8 Medium2026-06-11
CVE-2026-46625 JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection — js-cookie 7.5 High2026-06-10
CVE-2026-45302 Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names — parse-nested-form-data 8.2 High2026-06-01
CVE-2026-46510 Prototype pollution in form-data-objectizer via bracket-notation form keys — form-data-objectizer 8.2 High2026-05-29
CVE-2026-46509 deepobj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') — deepobj 8.2 High2026-05-28
CVE-2026-44483 RVF: Prototype pollution in @rvf/set-get reachable via @rvf/core preprocessFormData (HTTP form data) — rvf 8.2 High2026-05-27
CVE-2026-44966 Velocity.js: Prototype Pollution in #set path assignment — velocity.js 8.3 High2026-05-26
CVE-2026-9101 Prototype pollution in csv parsing — Compass 4.3 Medium2026-05-20
CVE-2026-8657 jsondiffpatch 安全漏洞 — jsondiffpatch 8.2 High2026-05-16
CVE-2026-44005 vm2: Sandbox escape — vm2 10.0 Critical2026-05-13
CVE-2026-44292 protobufjs: Prototype injection in generated message constructors — protobuf.js 5.3 Medium2026-05-13
CVE-2026-44290 protobufjs: Process-wide denial of service through unsafe option paths — protobuf.js 7.5 High2026-05-13
CVE-2026-42264 Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking — axios 7.4 High2026-05-08
CVE-2026-42232 n8n: XML Node Prototype Pollution to RCE — n8n 8.8 -2026-05-04
CVE-2026-42231 n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE — n8n 9.9 -2026-05-04
CVE-2026-42077 Evolver: Prototype Pollution via `Object.assign()` in mailbox store operations — evolver 5.2 Medium2026-05-04
CVE-2026-42033 Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking — axios 7.4 High2026-04-24
CVE-2026-6621 1024bit extend-deep index.js prototype pollution — extend-deep 7.3 High2026-04-20
CVE-2026-6594 brikcss merge prototype pollution — merge 7.3 High2026-04-20
CVE-2026-34622 Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) — Acrobat Reader 8.6 High2026-04-14
CVE-2026-34626 Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) — Acrobat Reader 6.3 Medium2026-04-14
CVE-2026-34621 Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) — Acrobat Reader 8.6 High2026-04-11
CVE-2026-40190 LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()` — langsmith-sdk 5.6 Medium2026-04-10

Vulnerabilities classified as CWE-1321 represent 161 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.