Skip to main content

@nevware21/ts-utils CVE-2026-46681

HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-05-21 https://github.com/nevware21/ts-utils GHSA-x7j8-49r8-mr43
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 22:31 vuln.today
Analysis Generated
May 21, 2026 - 22:31 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @nevware21/ts-utils (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.14.0.

DescriptionCVE.org

Summary

The _copyProps function in lib/src/object/copy.ts uses for...in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys (__proto__, constructor, prototype). This allows an attacker to pollute the prototype chain of all objects in the application.

Details

In _copyProps() (copy.ts lines 186-191), the code iterates all enumerable properties including inherited ones and dangerous keys like __proto__. Any object with a __proto__ key (e.g., from untrusted JSON input) will overwrite the target's prototype.

PoC

const malicious = JSON.parse('{"__proto__": {"polluted": true}}');
objDeepCopy(malicious);
console.log({}.polluted); // true

Suggested Fix

Add objHasOwnProperty check and filter __proto__, constructor, prototype keys.

AnalysisAI

Prototype pollution in @nevware21/ts-utils versions <= 0.13.0 allows attackers to corrupt the global Object prototype by passing crafted JSON containing a __proto__ key to objDeepCopy or objCopyProps. The flaw resides in the _copyProps helper, which iterates source properties with for...in without hasOwnProperty filtering and does not block dangerous keys. Publicly available exploit code exists via the vendor's GHSA proof-of-concept, though no public exploit identified at time of analysis beyond the disclosure PoC, and no KEV listing.

Technical ContextAI

@nevware21/ts-utils is an npm-published TypeScript utility library providing helpers such as objDeepCopy and objCopyProps for cloning and merging objects. The root cause is CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, a.k.a. Prototype Pollution): in lib/src/object/copy.ts the _copyProps function (lines 186-191) walks enumerable properties via for...in, which traverses inherited keys as well as the special __proto__ accessor, and assigns them onto the destination object. When the source is parsed from untrusted JSON, JSON.parse produces an own __proto__ data property whose assignment mutates Object.prototype, propagating the pollutant to every object in the runtime. The CPE identifier pkg:npm/@nevware21_ts-utils confirms the affected component is the npm package.

RemediationAI

Vendor-released patch: 0.14.0 - upgrade @nevware21/ts-utils to >= 0.14.0 via npm/yarn/pnpm and rebuild any applications or transitive dependents that bundle it, per the advisory at https://github.com/nevware21/ts-utils/security/advisories/GHSA-x7j8-49r8-mr43. If immediate upgrade is not possible, avoid passing untrusted JSON or any object derived from external input directly to objDeepCopy or objCopyProps, and sanitize incoming payloads by stripping __proto__, constructor, and prototype keys before deserialization or before invoking these helpers (trade-off: requires audit of every call site and may miss indirect callers in transitive dependencies). As a runtime defense, applications can freeze Object.prototype with Object.freeze(Object.prototype) at startup, though this can break libraries that legitimately extend prototypes and is not a substitute for patching.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-46681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy