CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Parent Weaknesses (ChildOf)
Related Weaknesses
Common Consequences
Scope
Impact
Read Application Data, Modify Application Data
Scope
Impact
DoS: Crash, Exit, or Restart
Potential Mitigations
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
When handling untrusted objects, validating using a schema can be used.
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CVE-2018-3721Prototype pollution by merging objects.
CVE-2019-10744Prototype pollution by setting default values to object attributes recursively.
CVE-2019-11358Prototype pollution by merging objects recursively.
CVE-2020-8203Prototype pollution by setting object attributes based on dot-separated path.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now