CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the product depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).
This weakness is usually exploited by using a special attribute of objects called proto, constructor or prototype. Such attributes give access to the object prototype. This weakness is often found in code that assigns object attributes based on user input, or merges or clones objects recursively.
Modes of Introduction
Phase | Note |
---|---|
Architecture and Design | |
Implementation |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | JavaScript |
Relationships
View | Weakness | |||||||
---|---|---|---|---|---|---|---|---|
# ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
CWE-1000 | Research Concepts | Draft | CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | Base | Simple | Incomplete | |
CWE-1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities | Incomplete | CWE-913 | Improper Control of Dynamically-Managed Code Resources | Class | Simple | Incomplete | |
CWE-1000 | Research Concepts | Draft | CWE-471 | Modification of Assumed-Immutable Data (MAID) | Base | Simple | Draft |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.orgCVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |