Listen to this Post
The `setValueAtPath()` function in `@tmlmobilidade/utils` fails to sanitize user-controlled path segments before assigning a value to an object property. This allows an attacker to supply a path that includes __proto__, constructor.prototype, or `prototype` as a key. When the function traverses the path, it inadvertently writes to `Object.prototype` instead of a safe target object. As a result, any property injected into `Object.prototype` becomes enumerable on all objects created thereafter. This can be used to override built‑in methods (e.g., toString, hasOwnProperty), disrupt application logic, or inject malicious properties that bypass input validation. The vulnerability is triggered if an attacker can control the `path` argument passed to setValueAtPath(), which is common in applications that accept user‑supplied keys for dynamic object updates. Because JavaScript resolves inherited properties at runtime, a single polluted prototype can affect every object in the same execution context, leading to denial‑of‑service, arbitrary property injection, and potentially remote code execution if the polluted property is later used unsafely (e.g., in an eval or child process call). The flaw existed in all versions prior to 20260509.0340.15, where the function did not block or escape prototype‑related path segments. The fix introduces a strict path validation routine that rejects any segment matching __proto__, prototype, or constructor.
dailycve form:
Platform: npm (Node.js)
Version: <20260509.0340.15
Vulnerability: Prototype Pollution
Severity: HIGH
date: 2026-05-18
Prediction: Patch released 2026-05-09
What Undercode Say:
Analytics
Check installed version npm list @tmlmobilidade/utils Detect vulnerable version (returns true for <20260509.0340.15) npm view @tmlmobilidade/utils version | grep -P '^(202[0-4]|20250[0-4]|202505[0-1]|20250520|2025052[0-9]|20250530|2025053[0-9]|202506...|2026050[0-8]|20260509[.][0-3][0-9][0-9][0-9]).[0-9]+' Upgrade to patched version npm install @tmlmobilidade/[email protected] Audit for prototype pollution vulnerabilities npm audit --production
Exploit:
const { setValueAtPath } = require('@tmlmobilidade/utils');
const maliciousPath = '<strong>proto</strong>.isAdmin';
setValueAtPath({}, maliciousPath, true);
console.log(({}).isAdmin); // true → prototype polluted
Protection from this CVE
- Upgrade to `20260509.0340.15` or later.
- Validate and sanitize all user‑supplied path strings – reject any segment containing
__proto__,prototype, orconstructor. - Use `Object.create(null)` to create prototype‑less objects where dynamic keys are set.
- Freeze `Object.prototype` with `Object.freeze(Object.prototype)` in high‑security contexts.
- Employ a static analysis tool (e.g., ESLint with
no-prototype-builtins) to detect unsafe property assignments.
Impact
- Denial of Service: Overriding core methods like `toString` or `hasOwnProperty` can break application logic.
- Privilege Escalation: Injecting properties such as `isAdmin` can bypass authorization checks.
- Remote Code Execution (potential): If a polluted property is later used in
eval(),child_process.exec(), or similar sinks, an attacker may achieve RCE. - Data Integrity: Malicious properties can be added to all objects, leading to unexpected behavior or data corruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

