CVE-2026-27837
Prototype Pollution in Dottie JS Nested Object Access (v
Publication date: 2026-02-26
Last updated on: 2026-02-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dottie_project | dottie | From 2.0.4 (inc) to 2.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27837 is a prototype pollution vulnerability in the JavaScript library dottie.js versions 2.0.4 through 2.0.6. The vulnerability arises because the protection mechanism only checks the first segment of a dot-separated path for the dangerous key '__proto__'. This allows an attacker to bypass the guard by placing '__proto__' in any position other than the first, such as in 'a.__proto__.polluted'."}, {'type': 'paragraph', 'content': "By exploiting this flaw, an attacker can inject properties into an object's prototype chain via intermediate '__proto__' segments. This does not affect the global Object.prototype but only the specific object's prototype chain, making the injected properties stealthy and invisible to standard detection methods like hasOwnProperty() and Object.keys()."}, {'type': 'paragraph', 'content': "For example, an attacker could inject an 'isAdmin: true' property into a session object, causing access control checks relying on property access to succeed while bypassing checks that use hasOwnProperty(). Additionally, replacing an object's prototype can remove inherited methods, potentially causing errors and denial of service."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized access and denial of service in applications using dottie.js versions 2.0.4 through 2.0.6. Attackers can inject properties into an object's prototype chain, potentially bypassing authorization checks by adding properties like 'isAdmin: true' to session objects."}, {'type': 'paragraph', 'content': 'Moreover, the attack can cause runtime errors by stripping inherited methods from objects, leading to TypeError exceptions and denial of service conditions.'}, {'type': 'paragraph', 'content': 'The vulnerability has a moderate severity with a CVSS v3.1 base score of 6.3, indicating it can be exploited remotely with low complexity and no privileges required, though user interaction is needed.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves prototype pollution through nested object paths in the dottie.js library, where injected properties do not appear in standard property enumerations like hasOwnProperty() or Object.keys(). Therefore, detecting exploitation by simple property checks is difficult.'}, {'type': 'paragraph', 'content': "Detection would require monitoring or auditing the use of dottie.set() and dottie.transform() functions for suspicious paths containing '__proto__', 'constructor', or 'prototype' segments beyond the first position."}, {'type': 'paragraph', 'content': 'No specific network or system commands are provided in the available resources to detect this vulnerability directly.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation step is to upgrade the dottie.js package to version 2.0.7 or later, where the vulnerability is fully patched by validating all path segments against dangerous keys such as '__proto__', 'constructor', and 'prototype'."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, review and restrict user input that is passed to dottie.set() and dottie.transform() to prevent paths containing these dangerous keys at any position.'}, {'type': 'paragraph', 'content': 'Additionally, audit your codebase for usage of dottie.js in security-critical contexts, such as access control decisions, and apply additional validation or sanitization layers.'}] [1, 2]