CVE-2021-28860
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() fun
CVSS
9.1
Crítico
EPSS
1.8%
p76
KEV
—
Exploit Today
23
0-100
Publicado: 3 may 2021 · Última mod.: 9 jul 2026 · CWE-1321
1.8%EPSS · 30 días2.0%
2026-06-302026-07-16
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).
- github.comhttps://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
- github.comhttps://github.com/adaltas/node-mixme/issues/1
- github.comhttps://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
- security.netapp.comhttps://security.netapp.com/advisory/ntap-20210618-0005/
- www.npmjs.comhttps://www.npmjs.com/~david
- github.comhttps://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028
- github.comhttps://github.com/adaltas/node-mixme/issues/1
- github.comhttps://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4
- security.netapp.comhttps://security.netapp.com/advisory/ntap-20210618-0005/
- www.npmjs.comhttps://www.npmjs.com/~david
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-134655.3 MED72.0%
——22Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.2314hCVE-2023-388949.8 CRÍ69.6%
——21A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code via the extend function.8dCVE-2022-372579.8 CRÍ61.8%
——19Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js.8dCVE-2026-444948.7 ALT60.1%
——18Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.14hCVE-2026-290639.8 CRÍ58.2%
——17Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.14hCVE-2026-4400510.0 CRÍ53.8%
——16vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.2d