{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@tmlmobilidade/utils/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@tmlmobilidade/utils"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","javascript","npm","cve"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA prototype pollution vulnerability has been identified in the \u003ccode\u003e@tmlmobilidade/utils\u003c/code\u003e npm package, specifically within the \u003ccode\u003esetValueAtPath()\u003c/code\u003e function. This vulnerability affects versions prior to \u003ccode\u003e20260509.0340.15\u003c/code\u003e. Prototype pollution occurs when an attacker can manipulate the properties of JavaScript object prototypes. This can lead to various security issues, including denial of service, arbitrary code execution (in certain environments), or information disclosure. The vulnerability was reported on May 13, 2026, and a patched version was released on May 18, 2026. This vulnerability is tracked as CVE-2026-45325. Defenders should ensure they are running the patched version to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable endpoint or function within an application that utilizes the \u003ccode\u003e@tmlmobilidade/utils\u003c/code\u003e package and its \u003ccode\u003esetValueAtPath()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input designed to manipulate the JavaScript object prototype.\u003c/li\u003e\n\u003cli\u003eThe malicious input is sent to the vulnerable application endpoint. This input exploits the \u003ccode\u003esetValueAtPath\u003c/code\u003e function by injecting properties into the prototype.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esetValueAtPath()\u003c/code\u003e function processes the attacker-controlled input without proper sanitization, allowing modification of the object prototype.\u003c/li\u003e\n\u003cli\u003eThe attacker injects properties like \u003ccode\u003e__proto__.polluted\u003c/code\u003e or \u003ccode\u003econstructor.prototype.polluted\u003c/code\u003e, which affects all subsequently created objects inheriting from that prototype.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s logic uses these polluted objects, leading to unexpected behavior or control flow changes.\u003c/li\u003e\n\u003cli\u003eDepending on the application\u0026rsquo;s design, the prototype pollution can lead to denial of service by crashing the application, or potentially remote code execution.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker could gain control over the application\u0026rsquo;s behavior, potentially leading to data theft or further compromise of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this prototype pollution vulnerability can lead to various adverse effects. An attacker can modify object properties leading to denial of service. Remote code execution might be possible depending on the application\u0026rsquo;s configuration and usage of the polluted objects. The number of affected applications depends on the adoption of the \u003ccode\u003e@tmlmobilidade/utils\u003c/code\u003e package. This type of vulnerability can be particularly damaging as it can affect multiple parts of an application due to the nature of prototype inheritance in JavaScript.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@tmlmobilidade/utils\u003c/code\u003e package to version \u003ccode\u003e20260509.0340.15\u003c/code\u003e or later to remediate the vulnerability (references: GHSA-cmxg-94mg-jq94).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent malicious input from reaching the \u003ccode\u003esetValueAtPath()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential prototype pollution attempts targeting the vulnerable function (rule: \u0026ldquo;Detect Prototype Pollution via setValueAtPath\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eRegularly audit and update dependencies to minimize the risk of known vulnerabilities affecting your applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing prototype pollution payloads (e.g., \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor.prototype\u003c/code\u003e) using the log source \u003ccode\u003ewebserver\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:08:10Z","date_published":"2026-05-18T17:08:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tmlmobilidade-prototype-pollution/","summary":"A prototype pollution vulnerability exists in the @tmlmobilidade/utils package before version 20260509.0340.15, specifically affecting the setValueAtPath() function, potentially leading to denial of service or arbitrary code execution.","title":"Prototype Pollution Vulnerability in @tmlmobilidade/utils setValueAtPath Function","url":"https://feed.craftedsignal.io/briefs/2026-05-tmlmobilidade-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — @Tmlmobilidade/Utils","version":"https://jsonfeed.org/version/1.1"}