All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.
All versions of the package dot-lens are vulnerable to Prototype Pollution via the set() function in index.js file.
All versions of the package progressbar.js are vulnerable to Prototype Pollution via the function extend() in the file utils.js.
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.
Prototype Pollution in GitHub repository mastodon/mastodon prior to 3.5.0.
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.
merge is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function.
objection.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Prototype pollution vulnerability in stealjs steal 2.2.4 via the alias variable in babel.js.
Prototype Pollution in Visioweb.js 1.10.6 allows attackers to execute XSS on the client system.
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify pr...
In NASA Open MCT (aka openmct) before 3.1.0, prototype pollution can occur via an import action.
body-parser-xml is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Prototype pollution vulnerability in tschaub gh-pages 3.1.0 via the partial variable in util.js.
hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.
Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 via the key variable in grunt-karma.js.
Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js.
All versions of the package flatnest are vulnerable to Prototype Pollution via the nest() function in the flatnest/nest.js file.
In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.
vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the shimPath variable in resolve-shims.js.
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js.
Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property.
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the extend function in Collection.js/dist/node/iterators/extend.js.
Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.
Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'patchmerge' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'changeset' versions 0.0.1 through 0.2.5 allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'object-collider' versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of...
SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file. In other words. 0.19.2 and earlier are affected, whereas 0.19.3 and later are unaffected.
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 through 2.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS...
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js...
Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index...
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises f...
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the ...
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerabi...
Versions of the package underscore-keypath from 0.0.11 are vulnerable to Prototype Pollution via the name argument of the setProperty() function. Exploiting this vulnerability is possible due to impro...