Skip to main content

Velocity.js CVE-2026-44966

HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-05-09 https://github.com/shepherdwind/velocity.js GHSA-j658-c2gf-x6pq
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 09, 2026 - 01:16 vuln.today
Analysis Generated
May 09, 2026 - 01:16 vuln.today
CVE Published
May 09, 2026 - 00:40 nvd
HIGH 8.3

DescriptionGitHub Advisory

Summary

A prototype pollution vulnerability was discovered in Velocity.js <= 2.1.5. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.

Details

The root cause is located in the #set path assignment logic within the source code:

  • File: /src/compile/set.ts
  • Issue: The engine accepts arbitrary path keys and performs assignments using the logic (baseRef as Record<string, unknown>)[key] = val.

Because there is no validation or filtering to block sensitive keys such as \_\_proto\_\_, constructor, or prototype, an attacker can traverse the prototype chain and pollute the global Object.prototype.

PoC

javascript
const {render} = require('velocityjs');
delete Object.prototype.polluted;
console.log({}.polluted); // ""
render('#set($__proto__.polluted = "hacked")', {});
console.log({}.polluted); // "hacked"
delete Object.prototype.polluted;

Impact

  • Vulnerability Type: Prototype Pollution
  • Who is impacted: Any application that renders Velocity templates where the template content can be influenced or controlled by untrusted users.
  • Severity: High. Prototype pollution can often be used to bypass security controls, cause application crashes (DoS), or be chained with other vulnerabilities to achieve code execution.

AnalysisAI

Prototype pollution in Velocity.js npm package versions <=2.1.5 allows remote attackers to modify Object.prototype through malicious #set directives in templates, enabling denial of service or potential remote code execution when template content is attacker-controlled. Publicly available exploit code exists. EPSS data unavailable, but the low attack complexity (CVSS AC:L), network attack vector (AV:N), and no authentication requirement (PR:N) combined with published POC code indicate elevated risk for applications rendering untrusted Velocity templates.

Technical ContextAI

Velocity.js is a JavaScript implementation of the Apache Velocity templating engine for Node.js applications. The vulnerability stems from improper input validation in the #set directive handler (src/compile/set.ts), which performs direct property assignments using JavaScript's bracket notation without filtering dangerous property names. The code executes (baseRef as Record<string, unknown>)[key] = val without blocking special keys like __proto__, constructor, or prototype. This is a classic CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) vulnerability. When user-controlled template strings are rendered, attackers can inject directives such as #set($__proto__.polluted = "value") to traverse the prototype chain and pollute Object.prototype, affecting all JavaScript objects in the runtime environment. The CPE identifier pkg:npm/velocityjs confirms this affects the npm package ecosystem.

RemediationAI

No vendor-released patch exists at time of analysis - the GitHub advisory explicitly lists 'fixed in: None' for versions <=2.1.5. Until a patched version is available, implement the following compensating controls with noted trade-offs: (1) Eliminate attacker control over template content - restrict template creation/modification to trusted administrators only and store templates server-side outside web root; this is the most effective mitigation but may break features requiring dynamic template generation. (2) Implement allowlist validation for #set directive variable names - modify or wrap the Velocity.js render function to reject templates containing __proto__, constructor, or prototype in #set statements; this requires code changes and may have false positives if legitimate variables use these names. (3) Deploy object-freeze protections - execute Object.freeze(Object.prototype) at application startup to prevent prototype modification; this can break libraries expecting mutable prototypes and should be tested thoroughly. (4) Sandbox template rendering - isolate Velocity.js execution in a separate V8 context using vm2 or isolated-vm npm packages; adds performance overhead and complexity. (5) Consider migrating to actively maintained alternatives like Handlebars, Mustache, or Nunjucks that have prototype pollution protections. Monitor https://github.com/shepherdwind/velocity.js/security/advisories/GHSA-j658-c2gf-x6pq for patch availability.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-44966 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy