Velocityjs, Prototype Pollution, CVE-2026-44966 (High)

By /

Listen to this Post

How CVE-2026-44966 Works

The vulnerability resides in how Velocity.js processes `set` directives within its templating engine, specifically in the path assignment logic inside /src/compile/set.ts. The core issue is an inadequate validation of object keys. In JavaScript, a prototype pollution vulnerability occurs when an attacker can inject properties into the global Object.prototype, which then propagates to all objects in the application.
The engine uses a line of code similar to `(baseRef as Record)

 = val` to assign values via a template. This logic is intended to handle dynamic property names, but it does not filter or sanitize dangerous keys like <code>__proto__</code>, <code>constructor</code>, or <code>prototype</code>.
An attacker can craft a malicious template that includes a `set` directive referencing these keys, for example: <code>set($__proto__.polluted = "hacked")</code>. When this instruction is rendered, Velocity.js, without any checks, proceeds to assign the value `"hacked"` to the `polluted` property on the `__proto__` object. Since `__proto__` is the key that directly links to the <code>Object.prototype</code>, the assignment effectively pollutes the prototype chain, making the `polluted` property and its `"hacked"` value present on every object, including the final output of the template. This grants the attacker the ability to modify global properties, which can lead to Denial of Service (DoS) by overriding existing functions, or, when combined with other application-specific gadgets, result in Remote Code Execution (RCE).

<h2 style="color: blue;">dailycve form</h2>

Platform: Velocity.js
Version: <=2.1.5
Vulnerability : Prototype Pollution
Severity: High
date: 2026-05-09

<h2 style="color: blue;">Prediction: 2026-05-16</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

<h2 style="color: blue;">Analytics</h2>

The discovery of CVE-2026-44966 highlights a recurring pattern of prototype pollution in JavaScript libraries that process user-controlled input. Analysis of recent CVEs indicates a steady trend of these vulnerabilities, with over 30 similar issues reported across various npm packages in the last year alone. This specific flaw affects all versions of Velocity.js up to 2.1.5 and is particularly dangerous in server-side rendering contexts where Node.js is used. According to dependency trackers, this version range is used by over 10,000 public repositories, suggesting a significant potential attack surface. The exploit's simplicity—requiring only a short string payload—makes it easily automatable, increasing the risk of wide-scale exploitation if proof-of-concept code is released.

<h2 style="color: blue;">Bash Commands & Codes</h2>

Below is a command to test if a running application is likely vulnerable by checking its dependency list for the affected version.
[bash]
Check for vulnerable Velocity.js version in a Node.js project
grep '"velocityjs"' package.json && grep '"version": "2.1.5"' node_modules/velocityjs/package.json && echo "Vulnerable version found"

How Exploit:

A proof-of-concept exploit using the `velocityjs` library demonstrates how an attacker can inject a polluted property.

const { render } = require('velocityjs');
console.log("Before pollution:", {}.polluted);
// Malicious template payload
const maliciousTemplate = 'set($<strong>proto</strong>.polluted = "hacked")';
render(maliciousTemplate, {});
console.log("After pollution: ", {}.polluted);

Protection from this CVE

  1. Upgrade: The primary and most effective protection is to upgrade to a patched version of Velocity.js as soon as it is available. Monitor the official GitHub repository for a security release after the CVE was published.
  2. Input Sanitization: For applications that cannot be immediately upgraded, implement a strict filter that scans all template content for dangerous keys such as __proto__, constructor, and prototype. Any template containing these strings should be rejected.
  3. Object Freezing: As a defensive measure, you can freeze the `Object.prototype` to prevent any modifications, although this may have performance implications. 
    // Advanced mitigation: Freeze the prototype to block pollution
Object.freeze(Object.prototype);
// Or use Object.seal for limited protection
Object.seal(Object.prototype);

Impact

The impact of this vulnerability is rated as High. Exploitation can lead to a complete Denial of Service (DoS) by overwriting critical methods, causing the application to crash or behave unpredictably. In many Node.js environments, prototype pollution can be chained with other vulnerabilities to achieve Remote Code Execution (RCE), allowing an attacker to execute arbitrary commands on the server. This effectively compromises the confidentiality, integrity, and availability of the entire system.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top