CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Parent: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

501 vulnerabilities with CWE-1321
CVE-2025-25977 CRITICAL
canvg 4.0.2 - Remote Code Execution via StyleElement Constructor
CVSS 9.8
CVE-2025-27597 HIGH
Intlify Message-resolver < 9.1.11 - Prototype Pollution
CVE-2025-25015 CRITICAL
Kibana 8.15.0-8.16.5 and 8.17.1-8.17.2 - Authenticated Remote Code Execution via Prototype Pollution
CVSS 9.9
CVE-2024-14020 MEDIUM
carbone < 3.5.6 - Prototype Pollution in Formatter Handler
CVSS 5.0
CVE-2024-57708 MEDIUM
OneTrust SDK 6.33.0 - Denial of Service via Prototype Pollution
CVSS 5.7
CVE-2024-12556 HIGH
Kibana 8.16.1-8.16.3 - Prototype Pollution and Code Injection via File Upload and Path Traversal
CVSS 8.7
CVE-2024-57083 HIGH
redocly/redoc < 2.2.0 and npm/redoc < 2.4.0 - Denial of Service via Prototype Pollution in Module.mergeObjects
CVSS 7.5
CVE-2024-38988 CRITICAL
alizeait unflatto <= 1.0.2 - Prototype Pollution via exports.unflatto Method
CVSS 9.8
CVE-2024-38985 CRITICAL
janrywang depath and cool-path - Prototype Pollution via setIn Method
CVSS 9.8
CVE-2024-24292 CRITICAL
Aliconnect SDK 0.0.6 - Prototype Pollution via aim Function
CVSS 9.8
CVE-2024-11628 MEDIUM
Telerik Kendo UI for Vue <6.0.1 - Command Injection
CVSS 4.1
CVE-2024-12629 MEDIUM
Progress KendoReact 3.5.0-9.4.0 - Prototype Pollution
CVSS 4.1
CVE-2024-57086 HIGH
node-opcua-alarm-condition <2.134.0 - DoS
CVSS 7.5
CVE-2024-57084 HIGH
dot-properties 1.0.1 - Denial of Service via Prototype Pollution in lib.parse
CVSS 7.5
CVE-2024-57080 HIGH
vxe-table 4.8.10 - Denial of Service via Prototype Pollution in lib.install
CVSS 7.5
CVE-2024-57078 HIGH
cli-util 1.1.27 - Denial of Service via Prototype Pollution in lib.merge
CVSS 7.5
CVE-2024-57077 CRITICAL
utils-extend 1.0.8 - Prototype Pollution
CVSS 9.1
CVE-2024-57072 HIGH
module-from-string 3.3.1 - Denial of Service via Prototype Pollution
CVSS 7.5
CVE-2024-57071 HIGH
php-parser 3.2.1 - Denial of Service via Prototype Pollution in lib.combine
CVSS 7.5
CVE-2024-57069 HIGH
expand-object 0.4.2 - Denial of Service via Prototype Pollution
CVSS 7.5
CVE-2024-57067 HIGH
dot-qs 0.2.0 - Denial of Service via Prototype Pollution in lib.parse
CVSS 7.5
CVE-2024-57066 HIGH
@ndhoule/defaults 2.0.1 - Denial of Service via Prototype Pollution in lib.deep
CVSS 7.5
CVE-2024-57065 HIGH
utile 0.3.0 - Denial of Service via Prototype Pollution in lib.createPath
CVSS 7.5
CVE-2024-57064 HIGH
@syncfusion/ej2-spreadsheet <v27.2.2 - DoS
CVSS 7.5
CVE-2024-57063 HIGH
php-date-formatter 1.3.6 - Denial of Service via Prototype Pollution
CVSS 7.5
Details
Vulnerabilities 501
Links
MITRE CWE Entry Search this CWE With Exploits