1. Home
  2. Weaknesses
  3. CWE-1321

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ID CWE-1321
Abstraction Variant
Structure Simple
Status Incomplete
Number of CVEs 318
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the product depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

This weakness is usually exploited by using a special attribute of objects called proto, constructor or prototype. Such attributes give access to the object prototype. This weakness is often found in code that assigns object attributes based on user input, or merges or clones objects recursively.

Modes of Introduction

Phase Note
Architecture and Design
Implementation

Applicable Platforms

Type Class Name Prevalence
Language JavaScript

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Base Simple Incomplete
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-913 Improper Control of Dynamically-Managed Code Resources Class Simple Incomplete
CWE-1000 Research Concepts Draft CWE-471 Modification of Assumed-Immutable Data (MAID) Base Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs CWE-1321
CAPEC-77 Manipulating User-Controlled Variables CWE-1321
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels CWE-1321

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date