Description
View on MITREBy freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible. Effectiveness: High Note: While this can mitigate this weakness completely, other methods are recommended when possible, especially in components used by upstream software ("libraries").
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated. Effectiveness: High
Strategy: Input Validation When handling untrusted objects, validating using a schema can be used. Effectiveness: Limited
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness. Effectiveness: High
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it. Effectiveness: Moderate
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
No relationship information available for this CWE.
CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
If exploited, CWE-1321 (CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')) it can compromise Read Application Data, Modify Application Data, DoS: Crash, Exit and or Restart, leading to outcomes such as Scope: Confidentiality, Integrity, Availability Likelihood: High This weakness is usually exploited by using a special attribute of objects called proto, constructor, or prototype. Such attributes give access to the object prototype. An attacker can inject attributes that are used in other components by adding or modifying attributes of an object prototype. This creates attributes that exist on every object and or replace critical attributes with malicious ones. This can be problematic if the product depends on existence or non-existence of certain attributes.
Recommended mitigations for CWE-1321 include: By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible. Effectiveness: High Note: While this can mitigate this weakness completely, other methods are recommended when possible, especially in components used by upstream software ("libraries"). By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated. Effectiveness: High Strategy: Input Validation When handling untrusted objects, validating using a schema can be used. Effectiveness: Limited
CWE-1321 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-1321 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.