CVE-2026-45325 in Gestor de Oferta
Summary
by MITRE • 07/16/2026
Gestor de Oferta is a web application for managing mobility service offerings. Prior to 20260509.0340.15, @tmlmobilidade/utils has a prototype pollution vulnerability in setValueAtPath() in packages/utils/src/generic/value-at-path.ts because unsafe path segments are not blocked. This issue is fixed in version 20260509.0340.15.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/16/2026
The Gestor de Oferta web application represents a critical mobility service management platform that handles sensitive transportation data and operational workflows for mobility providers. This system serves as a central hub for managing various mobility offerings, making it a prime target for sophisticated cyber attacks. The vulnerability resides within the @tmlmobilidade/utils library, specifically in the setValueAtPath() function located in packages/utils/src/generic/value-at-path.ts. This utility function is likely employed throughout the application to manipulate nested data structures and configuration parameters, making it a fundamental component in the platform's data handling architecture.
The prototype pollution vulnerability stems from inadequate validation of path segments passed to the setValueAtPath() function. When developers or attackers provide malicious input containing special characters or reserved keywords in the path traversal strings, the function fails to properly sanitize these inputs before processing them. This flaw allows an attacker to manipulate the prototype of JavaScript objects, potentially enabling arbitrary code execution or data manipulation within the application's memory space. The vulnerability is particularly concerning because it operates at a low level within the application's utility functions, meaning it could affect multiple components that rely on this function for data management operations.
The operational impact of this prototype pollution vulnerability extends beyond simple data corruption, as it can lead to significant system compromise and data exposure. Attackers could exploit this weakness to inject malicious properties into JavaScript prototypes, potentially enabling them to override core methods or access sensitive application functionality. This type of vulnerability aligns with CWE-1321, which specifically addresses prototype pollution in JavaScript applications, and maps to attack patterns within the MITRE ATT&CK framework under T1548.005 for Abuse of System Firmware and T1070.006 for Indicator Removal on Host. The vulnerability could allow an attacker to escalate privileges, manipulate application behavior, or potentially execute arbitrary code within the context of the web application.
Effective mitigation strategies should focus on implementing comprehensive input validation and sanitization for all path segments processed by the setValueAtPath() function. The fix implemented in version 20260509.0340.15 likely includes strict validation of path components to prevent special characters or reserved keywords from being processed, along with proper escaping mechanisms for dynamic path construction. Organizations should also implement regular security scanning of their dependencies to identify similar vulnerabilities across their software supply chain. Additionally, developers should adopt secure coding practices that avoid direct manipulation of object prototypes and implement defensive programming techniques such as using Object.freeze() on prototype objects or employing alternative data structure approaches that do not expose prototype pollution risks. The remediation process should include comprehensive testing to ensure that all path-based operations within the application function correctly while maintaining the security hardening measures implemented in the updated version.