{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@nevware21/ts-utils/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@nevware21/ts-utils"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","javascript","vulnerability","cve-2026-46681"],"_cs_type":"advisory","_cs_vendors":["nevware21"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@nevware21/ts-utils\u003c/code\u003e library, versions 0.13.0 and earlier, contains a prototype pollution vulnerability (CVE-2026-46681) in the \u003ccode\u003e_copyProps\u003c/code\u003e function located in \u003ccode\u003elib/src/object/copy.ts\u003c/code\u003e. This function iterates through the properties of a source object using a \u003ccode\u003efor...in\u003c/code\u003e loop without checking if the properties belong directly to the object (i.e., without using \u003ccode\u003ehasOwnProperty\u003c/code\u003e). Consequently, an attacker can inject malicious properties, such as \u003ccode\u003e__proto__\u003c/code\u003e, into the prototype chain of all objects within the application. By providing crafted JSON input with a \u003ccode\u003e__proto__\u003c/code\u003e property, attackers can overwrite properties of the base object prototype, leading to potential code execution or denial-of-service conditions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a JSON object containing a \u003ccode\u003e__proto__\u003c/code\u003e property with malicious values.\u003c/li\u003e\n\u003cli\u003eThe application parses the malicious JSON object, potentially from an untrusted source (e.g., user input or external API).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eobjDeepCopy\u003c/code\u003e function in \u003ccode\u003e@nevware21/ts-utils\u003c/code\u003e is called with the malicious object as an argument.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eobjDeepCopy\u003c/code\u003e function internally uses the vulnerable \u003ccode\u003e_copyProps\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_copyProps\u003c/code\u003e function iterates over the properties of the malicious object using \u003ccode\u003efor...in\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the absence of \u003ccode\u003ehasOwnProperty\u003c/code\u003e checks, the \u003ccode\u003e__proto__\u003c/code\u003e property is processed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e__proto__\u003c/code\u003e property\u0026rsquo;s value is used to modify the prototype of the target object.\u003c/li\u003e\n\u003cli\u003eAll subsequently created objects in the application inherit the polluted prototype, potentially leading to code execution or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to pollute the prototype of all objects in the application. This can lead to unexpected behavior, code execution, or denial-of-service conditions. The vulnerability affects applications using \u003ccode\u003e@nevware21/ts-utils\u003c/code\u003e versions 0.13.0 and earlier that process untrusted JSON input. This vulnerability has a high severity due to its potential to compromise the integrity and availability of affected applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a version of \u003ccode\u003e@nevware21/ts-utils\u003c/code\u003e that includes the fix for CVE-2026-46681.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix to the vulnerable \u003ccode\u003e_copyProps\u003c/code\u003e function by adding an \u003ccode\u003eobjHasOwnProperty\u003c/code\u003e check and filtering \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, and \u003ccode\u003eprototype\u003c/code\u003e keys.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Prototype Pollution via \u003cstrong\u003eproto\u003c/strong\u003e Modification\u0026rdquo; to identify attempts to exploit this vulnerability based on registry modifications that target \u003ccode\u003e__proto__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation to sanitize JSON data before processing it with \u003ccode\u003eobjDeepCopy\u003c/code\u003e, filtering out potentially malicious properties like \u003ccode\u003e__proto__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAudit existing code that uses \u003ccode\u003e@nevware21/ts-utils\u003c/code\u003e to ensure that it does not process untrusted JSON input without proper sanitization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T21:44:33Z","date_published":"2026-05-21T21:44:33Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ts-utils-prototype-pollution/","summary":"The `_copyProps` function in the `@nevware21/ts-utils` library is vulnerable to prototype pollution due to the use of `for...in` without proper `hasOwnProperty` checks, allowing attackers to modify object prototypes by injecting properties like `__proto__`.","title":"Prototype Pollution Vulnerability in @nevware21/ts-utils Library (CVE-2026-46681)","url":"https://feed.craftedsignal.io/briefs/2026-05-ts-utils-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — @Nevware21/Ts-Utils","version":"https://jsonfeed.org/version/1.1"}