Velocity.js CVE-2026-44966
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
A prototype pollution vulnerability was discovered in Velocity.js <= 2.1.5. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.
Details
The root cause is located in the #set path assignment logic within the source code:
- File: /src/compile/set.ts
- Issue: The engine accepts arbitrary path keys and performs assignments using the logic
(baseRef as Record<string, unknown>)[key] = val.
Because there is no validation or filtering to block sensitive keys such as \_\_proto\_\_, constructor, or prototype, an attacker can traverse the prototype chain and pollute the global Object.prototype.
PoC
const {render} = require('velocityjs');
delete Object.prototype.polluted;
console.log({}.polluted); // ""
render('#set($__proto__.polluted = "hacked")', {});
console.log({}.polluted); // "hacked"
delete Object.prototype.polluted;Impact
- Vulnerability Type: Prototype Pollution
- Who is impacted: Any application that renders Velocity templates where the template content can be influenced or controlled by untrusted users.
- Severity: High. Prototype pollution can often be used to bypass security controls, cause application crashes (DoS), or be chained with other vulnerabilities to achieve code execution.
AnalysisAI
Prototype pollution in Velocity.js npm package versions <=2.1.5 allows remote attackers to modify Object.prototype through malicious #set directives in templates, enabling denial of service or potential remote code execution when template content is attacker-controlled. Publicly available exploit code exists. EPSS data unavailable, but the low attack complexity (CVSS AC:L), network attack vector (AV:N), and no authentication requirement (PR:N) combined with published POC code indicate elevated risk for applications rendering untrusted Velocity templates.
Technical ContextAI
Velocity.js is a JavaScript implementation of the Apache Velocity templating engine for Node.js applications. The vulnerability stems from improper input validation in the #set directive handler (src/compile/set.ts), which performs direct property assignments using JavaScript's bracket notation without filtering dangerous property names. The code executes (baseRef as Record<string, unknown>)[key] = val without blocking special keys like __proto__, constructor, or prototype. This is a classic CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) vulnerability. When user-controlled template strings are rendered, attackers can inject directives such as #set($__proto__.polluted = "value") to traverse the prototype chain and pollute Object.prototype, affecting all JavaScript objects in the runtime environment. The CPE identifier pkg:npm/velocityjs confirms this affects the npm package ecosystem.
RemediationAI
No vendor-released patch exists at time of analysis - the GitHub advisory explicitly lists 'fixed in: None' for versions <=2.1.5. Until a patched version is available, implement the following compensating controls with noted trade-offs: (1) Eliminate attacker control over template content - restrict template creation/modification to trusted administrators only and store templates server-side outside web root; this is the most effective mitigation but may break features requiring dynamic template generation. (2) Implement allowlist validation for #set directive variable names - modify or wrap the Velocity.js render function to reject templates containing __proto__, constructor, or prototype in #set statements; this requires code changes and may have false positives if legitimate variables use these names. (3) Deploy object-freeze protections - execute Object.freeze(Object.prototype) at application startup to prevent prototype modification; this can break libraries expecting mutable prototypes and should be tested thoroughly. (4) Sandbox template rendering - isolate Velocity.js execution in a separate V8 context using vm2 or isolated-vm npm packages; adds performance overhead and complexity. (5) Consider migrating to actively maintained alternatives like Handlebars, Mustache, or Nunjucks that have prototype pollution protections. Monitor https://github.com/shepherdwind/velocity.js/security/advisories/GHSA-j658-c2gf-x6pq for patch availability.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j658-c2gf-x6pq