Velocity.js Prototype Pollution Vulnerability via #set Directive (CVE-2026-44966)

A prototype pollution vulnerability has been identified in Velocity.js, specifically affecting versions 2.1.5 and earlier. The vulnerability, designated as CVE-2026-44966, stems from improper input validation within the #set directive’s path assignment logic in Velocity templates. This flaw allows an attacker to manipulate the Object.prototype if they can influence the content of a Velocity template being rendered by an application. Successful exploitation could lead to a Denial of Service (DoS) or, depending on the server environment’s configuration, Remote Code Execution (RCE). The vulnerability was reported on May 9, 2026. Applications utilizing Velocity.js to render templates based on user-supplied or externally influenced data are most at risk.

Attack Chain

1. The attacker identifies a Velocity template rendering endpoint within an application.
2. The attacker crafts a malicious Velocity template containing a #set directive that targets the Object.prototype. Specifically, the template includes a payload like #set($__proto__.polluted = "hacked").
3. The attacker injects the malicious template into the application, either by directly supplying the template content, manipulating template variables, or exploiting other injection points.
4. The Velocity engine processes the malicious template, and the #set directive is executed.
5. Due to the lack of input validation on the path within the #set directive, the engine directly assigns the attacker-controlled value to the Object.prototype.
6. The Object.prototype is now polluted, meaning all JavaScript objects inherit the attacker-defined property and value.
7. The application’s behavior becomes unpredictable, potentially leading to a Denial of Service as the polluted prototype disrupts normal operations.
8. In certain environments, the prototype pollution can be chained with other vulnerabilities (e.g., gadget chains) to achieve Remote Code Execution (RCE).

Impact

This vulnerability allows an attacker to pollute the Object.prototype in Velocity.js applications. The impact of successful exploitation ranges from Denial of Service (DoS) to Remote Code Execution (RCE), depending on the specific environment and application logic. Any application using Velocity.js version 2.1.5 or earlier is potentially vulnerable if it renders templates that can be influenced by untrusted users. Prototype pollution can bypass security controls and cause unexpected application behavior.

Recommendation

• Upgrade to a patched version of Velocity.js that addresses the prototype pollution vulnerability.
• Sanitize user-supplied data used in Velocity templates to prevent the injection of malicious #set directives targeting Object.prototype.
• Deploy the Sigma rule “Detect Velocity.js Prototype Pollution Attempt via set Directive” to identify attempts to exploit CVE-2026-44966 in web server logs.
• Implement input validation on template variables to prevent the use of special characters like __proto__ or constructor that could be used for prototype pollution.
• Monitor web server logs for suspicious POST requests to Velocity template rendering endpoints with payloads containing __proto__ in the query parameters, as detected by the Sigma rule.