CVE-2026-26021 in set-in
Summary
by MITRE • 02/12/2026
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/14/2026
The vulnerability identified as CVE-2026-26021 represents a prototype pollution issue within the npm package set-in version 2.0.1 through 2.0.4. This type of vulnerability falls under the category of prototype pollution attacks that have been classified by CWE as CWE-471, which specifically addresses the manipulation of object prototypes through user-controlled inputs. The set-in package is designed to provide functionality for setting values within nested associative structures using arrays of keys, making it a commonly used utility in applications that manipulate complex data structures. The vulnerability stems from insufficient input validation mechanisms that fail to properly sanitize user-provided keys before processing them within the prototype chain.
The technical flaw manifests when the package processes user inputs that contain array elements which can be interpreted as prototype pollution vectors. Despite previous attempts to mitigate this issue by implementing checks for forbidden keys, the fix proved inadequate as attackers can still exploit the vulnerability through crafted inputs that leverage Array.prototype methods. This exploitation technique allows malicious actors to inject properties into Object.prototype, effectively polluting the prototype chain of all objects in the application. The vulnerability specifically leverages the fact that array elements can contain keys that, when processed, can modify the prototype object itself rather than just the intended target object. This represents a classic prototype pollution attack pattern that has been documented in various security frameworks and threat models.
The operational impact of this vulnerability is significant as it can lead to a wide range of downstream security issues including but not limited to denial of service attacks, code execution vulnerabilities, and data manipulation. When Object.prototype is polluted, all objects in the JavaScript environment inherit the malicious properties, potentially causing applications to behave unexpectedly or become vulnerable to further exploitation. Attackers can leverage this vulnerability to manipulate object behavior, inject malicious code, or bypass security controls that rely on object properties. The vulnerability is particularly concerning in server-side JavaScript environments where applications may be processing user inputs without proper sanitization, creating a pathway for attackers to gain unauthorized access or modify application behavior.
The mitigation strategy for this vulnerability requires immediate upgrading to version 2.0.5 or later of the set-in package, which contains the proper fix for the prototype pollution issue. Organizations should conduct thorough security assessments to identify any applications that depend on vulnerable versions of this package and ensure all instances are updated. Security teams should also implement input validation mechanisms at multiple layers of their applications to prevent malicious inputs from reaching vulnerable libraries. The fix implemented in version 2.0.5 addresses the root cause by properly sanitizing array elements and ensuring that prototype properties cannot be modified through user-controlled inputs. Additionally, implementing runtime protections such as prototype lockdown mechanisms or using security tools that monitor for prototype pollution attempts can provide additional defense in depth. This vulnerability aligns with ATT&CK technique T1059.007 which covers scripting and T1566.001 which covers malicious file execution, demonstrating the broader attack surface implications of prototype pollution vulnerabilities in modern web applications.