9.8
CVE-2026-27837
- EPSS 0.3%
- Veröffentlicht 26.02.2026 00:19:24
- Zuletzt bearbeitet 28.02.2026 00:58:17
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginDottie vulnerable to prototype pollution bypass via non-first path segments in set() and transform()
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dottie Project ≫ Dottie SwPlatformnode.js Version >= 2.0.4 < 2.0.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.218 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 6.3 | 2.8 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
|
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
https://github.com/mickhansen/dottie.js/security/advisories/GHSA-r5mx-6wc6-7h9w
https://github.com/mickhansen/dottie.js/commit/7e8fa1345a4b46325f0eab8d7aeb1c4deaefdb14
https://github.com/advisories/GHSA-4gxf-g5gf-22h4