CVE-2026-1774
Prototype Pollution in CASL Ability 2.4.0β6.7.4 Vulnerability
Publication date: 2026-02-10
Last updated on: 2026-02-11
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stalniy | casl_ability | From 2.4.0 (inc) to 6.7.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-1774 is a prototype pollution vulnerability found in CASL Ability versions 2.4.0 through 6.7.4. Prototype pollution occurs when an attacker is able to modify or inject properties into an object's prototype, such as Object.prototype in JavaScript. This allows the attacker to add or change attributes that affect all objects inheriting from that prototype, potentially altering application behavior globally."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the software does not properly control or validate modifications to special prototype attributes like __proto__, constructor, or prototype. Attackers can exploit this by supplying crafted input that modifies these prototype attributes, leading to unexpected and malicious changes in the application.'}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized data access, data modification, and denial of service. By polluting the prototype, an attacker can cause the application to behave incorrectly, such as bypassing security checks, escalating privileges, or injecting malicious code.
- Confidentiality impact: Attackers may read or modify sensitive application data.
- Integrity impact: Malicious attributes can alter application logic or security controls.
- Availability impact: Overriding prototype attributes with incompatible types can cause crashes or restarts, leading to denial of service.
Examples of exploitation include bypassing access controls by setting global flags like isAdmin to true, or injecting malicious scripts via polluted properties.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this prototype pollution vulnerability can be performed using automated static analysis (SAST) tools that analyze data flow from input sources to sinks where object attributes are set.
Since the vulnerability involves JavaScript prototype pollution, detection involves checking for unsafe assignments to prototype attributes such as __proto__, constructor, or prototype.
There are no specific network commands provided, but detection typically involves code analysis tools or runtime monitoring for suspicious prototype modifications.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Validate and sanitize all user inputs to block modifications to prototype attributes such as __proto__, constructor, and prototype.
- Freeze the Object prototype using Object.freeze(Object.prototype) to prevent any modifications.
- Use objects without prototypes by creating them with Object.create(null) to avoid prototype inheritance.
- Prefer using Map or Set data structures instead of plain objects for key-value storage.
- Use runtime defenses such as the Node.js flag --disable-proto=delete|throw to disable or throw errors on __proto__ access.
- Avoid using vulnerable patterns like recursive merging or cloning of objects based on user input without validation.