CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantStableExploit Likelihood: High

Description

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

Frequently Asked Questions

What is CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')?+

CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

What are the security consequences of CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')?+

If exploited, CWE-1321 (CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')) it can compromise Read Application Data, Modify Application Data, DoS: Crash, Exit and or Restart, leading to outcomes such as Scope: Confidentiality, Integrity, Availability Likelihood: High This weakness is usually exploited by using a special attribute of objects called proto, constructor, or prototype. Such attributes give access to the object prototype. An attacker can inject attributes that are used in other components by adding or modifying attributes of an object prototype. This creates attributes that exist on every object and or replace critical attributes with malicious ones. This can be problematic if the product depends on existence or non-existence of certain attributes.

How do you prevent or mitigate CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')?+

Recommended mitigations for CWE-1321 include: By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible. Effectiveness: High Note: While this can mitigate this weakness completely, other methods are recommended when possible, especially in components used by upstream software ("libraries"). By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated. Effectiveness: High Strategy: Input Validation When handling untrusted objects, validating using a schema can be used. Effectiveness: Limited

Which programming languages are affected by CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')?+

CWE-1321 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1321 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More