npm (Nodejs), Prototype Pollution, CVE-2026-45325 (High)

Listen to this Post

The `setValueAtPath()` function in `@tmlmobilidade/utils` fails to sanitize user-controlled path segments before assigning a value to an object property. This allows an attacker to supply a path that includes __proto__, constructor.prototype, or `prototype` as a key. When the function traverses the path, it inadvertently writes to `Object.prototype` instead of a safe target object. As a result, any property injected into `Object.prototype` becomes enumerable on all objects created thereafter. This can be used to override built‑in methods (e.g., toString, hasOwnProperty), disrupt application logic, or inject malicious properties that bypass input validation. The vulnerability is triggered if an attacker can control the `path` argument passed to setValueAtPath(), which is common in applications that accept user‑supplied keys for dynamic object updates. Because JavaScript resolves inherited properties at runtime, a single polluted prototype can affect every object in the same execution context, leading to denial‑of‑service, arbitrary property injection, and potentially remote code execution if the polluted property is later used unsafely (e.g., in an eval or child process call). The flaw existed in all versions prior to 20260509.0340.15, where the function did not block or escape prototype‑related path segments. The fix introduces a strict path validation routine that rejects any segment matching __proto__, prototype, or constructor.

dailycve form:

Platform: npm (Node.js)
Version: <20260509.0340.15
Vulnerability: Prototype Pollution
Severity: HIGH
date: 2026-05-18

Prediction: Patch released 2026-05-09

What Undercode Say:

Analytics

Check installed version
npm list @tmlmobilidade/utils
Detect vulnerable version (returns true for <20260509.0340.15)
npm view @tmlmobilidade/utils version | grep -P '^(202[0-4]|20250[0-4]|202505[0-1]|20250520|2025052[0-9]|20250530|2025053[0-9]|202506...|2026050[0-8]|20260509[.][0-3][0-9][0-9][0-9]).[0-9]+'
Upgrade to patched version
npm install @tmlmobilidade/[email protected]
Audit for prototype pollution vulnerabilities
npm audit --production

Exploit:

const { setValueAtPath } = require('@tmlmobilidade/utils');
const maliciousPath = '<strong>proto</strong>.isAdmin';
setValueAtPath({}, maliciousPath, true);
console.log(({}).isAdmin); // true → prototype polluted

Protection from this CVE

  • Upgrade to `20260509.0340.15` or later.
  • Validate and sanitize all user‑supplied path strings – reject any segment containing __proto__, prototype, or constructor.
  • Use `Object.create(null)` to create prototype‑less objects where dynamic keys are set.
  • Freeze `Object.prototype` with `Object.freeze(Object.prototype)` in high‑security contexts.
  • Employ a static analysis tool (e.g., ESLint with no-prototype-builtins) to detect unsafe property assignments.

Impact

  • Denial of Service: Overriding core methods like `toString` or `hasOwnProperty` can break application logic.
  • Privilege Escalation: Injecting properties such as `isAdmin` can bypass authorization checks.
  • Remote Code Execution (potential): If a polluted property is later used in eval(), child_process.exec(), or similar sinks, an attacker may achieve RCE.
  • Data Integrity: Malicious properties can be added to all objects, leading to unexpected behavior or data corruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top