Skip to main content

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')


Severity High
Score 7.5/10


object-path package is vulnerable to Prototype Pollution in versions before 0.11.8. The functions del(), empty(), push(), insert() are vulnerable when using the "inherited props" mode (e.g., when a new object-path instance is created with the includeInheritedProps option set to true, or when using the withInheritedProps default instance). To help prevent this type of vulnerability in the client code, the get() function will now throw an exception if an object's magic properties are accessed. The vulnerability does not exist in the default instance exposed by object path (e.g., objectPath.del()) if using a version from 0.11.0.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1321 - Prototype Pollution

Prototype pollution is one of the lesser-known vulnerabilities. It allows attackers to abuse the rules of JavaScript by injecting properties into the general object “Object” in JS. Modifying the prototype of “Object” affects the behavior of all objects in the entire app, potentially resulting in denial of service, arbitrary code execution, cross-site scripting, etc.

Advisory Timeline

  • Published