Description
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Potential Impact
Confidentiality, Integrity, Availability
Read Application Data, Modify Application Data
Availability
DoS: Crash, Exit, or Restart
Demonstrative Examples
function setValueByPath (object, path, value) {
const pathArray = path.split(".");
const attributeToSet = pathArray.pop();
let objectToModify = object;
for (const attr of pathArray) {
if (typeof objectToModify[attr] !== 'object') {
objectToModify[attr] = {};
}
objectToModify = objectToModify[attr];
}
objectToModify[attributeToSet] = value;
return object;
}setValueByPath({}, "__proto__.isAdmin", true)
setValueByPath({}, "constructor.prototype.isAdmin", true)function setValueByPath (object, path, value) {
const pathArray = path.split(".");
const attributeToSet = pathArray.pop();
let objectToModify = object;
for (const attr of pathArray) {
// Ignore attributes which resolve to object prototype
if (attr === "__proto__" || attr === "constructor" || attr === "prototype") {
continue;
}
if (typeof objectToModify[attr] !== "object") {
objectToModify[attr] = {};
}
objectToModify = objectToModify[attr];
}
objectToModify[attributeToSet] = value;
return object;
}Mitigations & Prevention
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
When handling untrusted objects, validating using a schema can be used.
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2018-3721 | Prototype pollution by merging objects. |
| CVE-2019-10744 | Prototype pollution by setting default values to object attributes recursively. |
| CVE-2019-11358 | Prototype pollution by merging objects recursively. |
| CVE-2020-8203 | Prototype pollution by setting object attributes based on dot-separated path. |
Related Weaknesses
Frequently Asked Questions
What is CWE-1321?
CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the...
How can CWE-1321 be exploited?
Attackers can exploit CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')) to read application data, modify application data. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-1321?
Key mitigations include: By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
What is the severity of CWE-1321?
CWE-1321 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 4 real-world CVEs.