CVE-2026-15598 in layout
Summary
by MITRE • 07/14/2026
A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability resides within the antv layout library version 2.0.0, specifically in the setNestedValue function located in lib/util/object.js. This weakness represents a prototype pollution vulnerability that allows attackers to manipulate object prototype attributes through improper control of the path argument. The flaw enables remote exploitation, making it particularly dangerous as it can be triggered from external sources without requiring local access or authentication. The issue was initially reported through an official issue tracking system, but the project maintainers have yet to provide any response or patch addressing the security concern.
This vulnerability falls under the CWE-471 category of "Modification of Assumed-Immutable Data" and aligns with ATT&CK technique T1546.1000 which covers "Modify Object Prototype". The root cause occurs when the setNestedValue function fails to properly validate or sanitize the path parameter before using it to traverse object properties. When an attacker supplies a malicious path string containing prototype pollution indicators, the function can inadvertently modify the Object.prototype attributes, potentially affecting all objects within the application scope. This type of attack can lead to various downstream security issues including arbitrary code execution, denial of service, or data manipulation.
The operational impact of this vulnerability extends beyond simple prototype modification as it can enable attackers to manipulate core JavaScript object behaviors across the entire application context. Successful exploitation could allow adversaries to inject malicious properties into the Object.prototype, which would then be inherited by all objects in the JavaScript environment. This creates a persistent threat vector that could affect multiple components within applications using the vulnerable library, potentially leading to complete system compromise depending on how the library is integrated and used throughout the application stack.
Mitigation strategies should prioritize immediate patching of the antv layout library to version 2.0.1 or later where the prototype pollution vulnerability has been addressed. Organizations should implement input validation and sanitization measures at all levels where object paths are processed, particularly when handling user-supplied data. Additional protective measures include implementing Content Security Policy headers, using strict object property definitions with Object.freeze(), and monitoring for unusual prototype modifications within application logs. Security teams should also consider implementing runtime protections such as prototype pollution detection mechanisms and regular security scanning of dependencies to identify similar vulnerabilities in other third-party libraries. The lack of response from the project maintainers underscores the importance of proactive dependency management and alternative mitigation strategies when upstream fixes are delayed or absent.