CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Parent: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

501 vulnerabilities with CWE-1321
CVE-2025-57349 HIGH
messageformat < 2.3.0 - Prototype Pollution via Nested Message Key Paths
CVSS 7.5
CVE-2025-57348 MEDIUM
node-cube < 5.0.0 - Prototype Pollution via Improper Input Validation
CVSS 6.5
CVE-2025-57347 CRITICAL
dagre-d3-es < 7.0.11 - Prototype Pollution via 'bk' Module addConflict Function
CVSS 9.8
CVE-2025-57330 HIGH
web3-core-subscriptions < 1.10.4 - Prototype Pollution via attachToObject Function
CVSS 7.5
CVE-2025-57354 MEDIUM
counterpart < 0.18.6 - Prototype Pollution via Translation Key Processing
CVSS 6.5
CVE-2025-57353 MEDIUM
messageformat/runtime 3.0.1 - Prototype Pollution via Nested Message Key Processing
CVSS 5.3
CVE-2025-57352 MEDIUM
min-document < 2.19.1 - Prototype Pollution via removeAttributeNS Method
CVSS 5.3
CVE-2025-57350 HIGH
csvtojson < 2.0.10 - Prototype Pollution via Nested Header Parsing
CVSS 8.6
CVE-2025-58280 HIGH
HarmonyOS - Prototype Pollution in Ark eTS Module
CVSS 8.4
CVE-2025-57820 HIGH
devalue < 5.3.2 - Prototype Pollution via __proto__ Property Parsing
CVE-2025-55195 HIGH
@std/toml <1.0.9 - Prototype Pollution
CVSS 7.3
CVE-2025-55164 HIGH
content-security-policy-parser <0.6.0 - Prototype Pollution
CVE-2025-54803 HIGH
js-toml < 1.0.2 - Prototype Pollution via Malicious TOML Input
CVSS 7.5
CVE-2025-34146 HIGH
@nyariv/sandboxjs <= 0.8.23 - Prototype Pollution via Insufficient Prototype Access Checks
CVE-2025-8101 HIGH
linkifyjs 4.3.1 - Prototype Pollution leading to Cross-Site Scripting
CVE-2025-53626 MEDIUM
pdfme 5.2.0-5.4.0 - Prototype Pollution and Cross-Site Scripting via Expression Evaluation
CVSS 6.1
CVE-2025-49223 CRITICAL
billboard.js < 3.15.1 - Prototype Pollution via Generate Function
CVSS 9.8
CVE-2025-48054 MEDIUM
Radashi < 12.5.1 - Prototype Pollution via set Function Path Argument
CVE-2025-5150 MEDIUM
docarray < 0.40.1 - Prototype Pollution via __getitem__ Function
CVSS 6.3
CVE-2025-26621 HIGH
OpenCTI < 6.5.2 - Authenticated Denial of Service via Webhook JavaScript Execution
CVSS 7.6
CVE-2025-25014 CRITICAL
Kibana 8.3.0-8.17.5 - Prototype Pollution via Machine Learning and Reporting Endpoints
CVSS 9.1
CVE-2025-3982 MEDIUM
nortikin Sverchok 1.3.0 - Prototype Pollution
CVSS 4.3
CVE-2025-32014 MEDIUM
estree-util-value-to-estree < 3.3.3 - Prototype Pollution via __proto__ Property
CVE-2025-31475 MEDIUM
Amauri Tarteaucitronjs < 1.20.1 - Prototype Pollution
CVSS 5.5
CVE-2025-3197 HIGH
expand-object >=0.0.0 - Prototype Pollution via expand() Function
CVSS 7.3
Details
Vulnerabilities 501
Links
MITRE CWE Entry Search this CWE With Exploits