| Название | Node.js primereact 10.9.8 Prototype Pollution |
|---|
| Описание | PrimeReact exposes a utility entry point through `primereact/utils`, and that entry point includes `ObjectUtils.mutateFieldData(data, field, value)`. This helper appears to be intended for updating nested object fields by accepting a dot-separated field path, splitting it into path segments, walking the object, and assigning the supplied value at the final segment.
The issue is that the path-walking logic treats every segment as a normal property name. If the caller supplies a field path such as `__proto__.polluted`, JavaScript does not treat `__proto__` like a regular own property on a plain object. Instead, reading that segment can resolve to the object's prototype. The subsequent assignment then writes the attacker-controlled property onto `Object.prototype`.
As a result, a call that appears to mutate only the provided local object can modify the global object prototype. After this happens, newly created objects may inherit the injected property. This is the classic prototype pollution pattern and can become security-relevant when application logic later checks object properties for authorization, feature flags, configuration, validation state, or other control-flow decisions.
The vulnerable behavior is reachable through a public package subpath (`primereact/utils`) and a declared utility API. The PoC below demonstrates the issue without relying on private internals or a browser environment. |
|---|
| Источник | ⚠️ https://github.com/primefaces/primereact/issues/8553 |
|---|
| Пользователь | Dremig (UID 95003) |
|---|
| Представление | 10.06.2026 13:23 (1 месяц назад) |
|---|
| Модерация | 12.07.2026 20:03 (1 month later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 377888 [primefaces primereact до 10.9.8 API ObjectUtils.mutateFieldData Поле эскалация привилегий] |
|---|
| Баллы | 20 |
|---|