Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1321 — Vulnerability Class 142

142 vulnerabilities classified as CWE-1321. AI Chinese analysis included.

CWE-1321 represents a critical vulnerability where applications fail to restrict modifications to an object’s prototype attributes, allowing attackers to inject malicious properties into the global prototype chain. This weakness is typically exploited by crafting specific input payloads that target JavaScript objects, enabling the injection of arbitrary keys such as constructor or prototype references. Successful exploitation can lead to severe consequences, including remote code execution, denial of service, or privilege escalation, as the injected properties affect all subsequent instances of the affected object. To mitigate this risk, developers must implement strict input validation, utilize libraries that freeze prototypes, or employ object creation methods that do not inherit from the global prototype, such as Object.create(null). Additionally, avoiding the use of unsafe recursive merge functions and sanitizing user-controlled data before processing are essential practices for preventing prototype pollution attacks in modern web applications.

MITRE CWE Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Common Consequences (2)
Confidentiality, Integrity, AvailabilityRead Application Data, Modify Application Data
This weakness is usually exploited by using a special attribute of objects called proto, constructor, or prototype. Such attributes give access to the object prototype. An attacker can inject attributes that are used in other components by adding or modifying attributes of an object prototype. This …
AvailabilityDoS: Crash, Exit, or Restart
An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.
Mitigations (5)
ImplementationBy freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Effectiveness: High
Architecture and DesignBy blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Effectiveness: High
ImplementationWhen handling untrusted objects, validating using a schema can be used.
Effectiveness: Limited
ImplementationBy using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Effectiveness: High
ImplementationMap can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
Effectiveness: Moderate
Examples (1)
This function sets object attributes based on a dot-separated path.
function setValueByPath (object, path, value) { const pathArray = path.split("."); const attributeToSet = pathArray.pop(); let objectToModify = object; for (const attr of pathArray) { if (typeof objectToModify[attr] !== 'object') { objectToModify[attr] = {}; } objectToModify = objectToModify[attr]; } objectToModify[attributeToSet] = value; return object; }
Bad · JavaScript
setValueByPath({}, "__proto__.isAdmin", true) setValueByPath({}, "constructor.prototype.isAdmin", true)
Bad · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2026-2964 higuma web-audio-recorder-js Dynamic Config Handling WebAudioRecorder.js extend prototype pollution — web-audio-recorder-js 5.0 Medium2026-02-23
CVE-2026-27212 Swiper has a Prototype Pollution Vulnerability — swiper 9.8AICriticalAI2026-02-21
CVE-2026-26021 Prototype pollution in set-in — set-in 9.8AICriticalAI2026-02-11
CVE-2026-25881 @nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) — SandboxJS 9.1 Critical2026-02-09
CVE-2026-25754 AdonisJS multipart body parsing has Prototype Pollution issue — core 7.2 High2026-02-06
CVE-2026-25521 Locutus is vulnerable to Prototype Pollution — locutus 9.8 -2026-02-04
CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City — qwik 9.3 Critical2026-02-03
CVE-2026-25047 deepHas vulnerable to Prototype Pollution via constructor.prototype — deepHas 5.3AIMediumAI2026-01-29
CVE-2026-24888 Maker.js Vulnerable to Unsafe Property Copying in makerjs.extendObject — maker.js 6.5 Medium2026-01-28
CVE-2026-24766 NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS — nocodb 4.9 Medium2026-01-28
CVE-2026-23736 seroval Affected by Prototype Pollution via JSON Deserialization — seroval 7.3 High2026-01-21
CVE-2025-13465 Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions — Lodash 9.1AICriticalAI2026-01-21
CVE-2024-14020 carboneio carbone Formatter input.js prototype pollution — carbone 5.0 Medium2026-01-07
CVE-2025-13158 apidoc-core - prototype pollution in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker — apidoc-core 9.8 -2025-12-26
CVE-2025-68130 tRPC has possible prototype pollution in `experimental_nextAppDirCaller` — trpc 9.8AICriticalAI2025-12-16
CVE-2025-8083 Vuetify Prototype Pollution via Preset options — Vuetify 8.6 High2025-12-12
CVE-2025-66456 Elysia vulnerable to prototype pollution with multiple standalone schema validation — elysia 9.8AICriticalAI2025-12-09
CVE-2025-64718 js-yaml has prototype pollution in merge (<<) — js-yaml 5.3 Medium2025-11-13
CVE-2025-62517 Rollbar.js Prototype Pollution Vulnerability in merge() — rollbar.js 5.9 Medium2025-10-23
CVE-2025-62410 --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom — happy-dom 10.0 -2025-10-15
CVE-2025-62381 sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js` — sveltekit-superforms 9.8AICriticalAI2025-10-15
CVE-2025-62374 Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs — Parse-SDK-JS 6.4 Medium2025-10-14
CVE-2025-3193 algoliasearch-helper 安全漏洞 — algoliasearch-helper 7.5 High2025-09-27
CVE-2025-58280 Huawei HarmonyOS 安全漏洞 — HarmonyOS 8.4 High2025-09-05
CVE-2025-57820 Svelte devalue vulnerable to prototype pollution — devalue 9.1AICriticalAI2025-08-26
CVE-2025-55195 @std/toml Prototype Pollution in Node.js and Browser — std 7.3 High2025-08-14
CVE-2025-55164 content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE — content-security-policy-parser 9.8AICriticalAI2025-08-12
CVE-2025-54803 js-toml is vulnerable to Prototype Pollution — js-toml 9.8AICriticalAI2025-08-05
CVE-2025-34146 nyariv sandboxjs 0.8.23 Prototype Pollution Sandbox Escape DoS — sandboxjs 9.8AICriticalAI2025-07-31
CVE-2025-8101 Linkify 4.3.1 - Prototype Pollution & HTML Attribute Injection (XSS) — Linkify 6.1 -2025-07-25

Vulnerabilities classified as CWE-1321 represent 142 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.