Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attacker needs write access to token input (PR:L, AV:L); trivial payload (AC:L); prototype pollution crosses object scope and can corrupt confidentiality, integrity, and availability of the host process.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of convertTokenData(tokens, { output: 'object' });; indirect usage, via using Expand API; and/or indirect usage via SD's transform lifecycle. Impact is high for this when style-dictionary is used as an integration in a NodeJS server application. Impact is moderate for when style-dictionary is used as an integration in a Web application. Impact is low for most common cases where the user of style-dictionary also maintains the tokens, and access is limited via read/write access to the repository/workflows where it is used. A patch has been published in version 5.4.4. The only known workaround is to sanitize token data first. Whether using DTCG format or old Style Dictionary format, check the token data object recursively for any object keys that include __proto__.
AnalysisAI
{ output: 'object' }), the Expand API, and the transform lifecycle, and is most dangerous when Style Dictionary runs inside a Node.js server that ingests untrusted tokens. No public exploit identified at time of analysis and CISA has not listed it in KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that attacker-controlled data reach one of three specific code paths in Style Dictionary 4.3.0-5.4.3: a direct call to `convertTokenData(tokens, { output: 'object' })`, use of the Expand API, or processing through the transform lifecycle - all of which dissect dotted token keys. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H yields 8.8 and reflects scope change because polluting Object.prototype affects every object in the host process, but the AV:L choice is consistent with the realistic attack surface - the attacker must already be able to supply or modify token data, typically through repo write access or an upstream feed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to contribute design tokens - for example via a pull request to a tokens repository, an upstream token feed, or a SaaS endpoint that accepts user-supplied tokens for theming - submits a token whose key is `{__proto__.isAdmin}` with value `true`. When the Node.js server or build pipeline calls `convertTokenData` with `output: 'object'`, the assignment pollutes `Object.prototype`, after which every plain object in the process inherits the attacker-chosen property, enabling auth bypass, logic corruption, or denial of service depending on downstream code. |
| Remediation | Vendor-released patch: upgrade to style-dictionary 5.4.4 or later, which ignores any token key containing `__proto__` (PR https://github.com/style-dictionary/style-dictionary/pull/1702, fix commits 209085d9782cfc0783c4d983f3f1bb2c515954ec and 23b5e8dda143441f0d6b8e2b4222e2da98058bc5). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Style Dictionary deployments, identifying which run on servers processing external or untrusted token inputs and which have network exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38640