CVE-2026-2964
Received Received - Intake
Prototype Pollution in higuma web-audio-recorder-js Remote Exploit

Publication date: 2026-02-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impacted is the function extend in the library lib/WebAudioRecorder.js of the component Dynamic Config Handling. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2964
EUVD
EUVD-2026-7598
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
higuma webaudiorecorder.js 0.1.1
higuma webaudiorecorder.js 0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact confidentiality, integrity, and availability of the affected system by allowing an attacker to modify the global Object.prototype.

Such prototype pollution can lead to unexpected behavior in the application, potentially enabling remote code execution, privilege escalation, or denial of service depending on how the polluted objects are used.

However, the exploitability is considered low because most implementations use hardcoded configuration objects rather than user-supplied input, so exploitation requires that the application directly uses unvalidated user input for configuration.

No known patches or countermeasures are currently available, so affected users are advised to consider replacing the vulnerable library.

Executive Summary

CVE-2026-2964 is a prototype pollution vulnerability found in the higuma web-audio-recorder-js library versions 0.1 and 0.1.1, specifically in the function extend within the file lib/WebAudioRecorder.js that handles dynamic configuration.

The vulnerability arises because the extend function improperly manages input attributes used to initialize or update objects, failing to restrict modifications to the object prototype. This allows an attacker to manipulate Object.prototype globally by passing specially crafted input containing dangerous property names such as __proto__, constructor, or prototype.

The vulnerable code recursively merges source objects into a target object without filtering out hazardous keys, enabling prototype pollution if user input is unsanitized and passed to the configuration parameter.

Exploitation is possible remotely but considered difficult, and a proof-of-concept exploit is publicly available.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves prototype pollution in the higuma web-audio-recorder-js library's extend function, which can be exploited if user input is unsanitized and passed to the configuration object."}, {'type': 'paragraph', 'content': "Detection involves checking if the application uses the vulnerable versions (0.1 or 0.1.1) of the higuma web-audio-recorder-js library and whether it passes untrusted user input to the WebAudioRecorder constructor's configs parameter."}, {'type': 'paragraph', 'content': "Since the vulnerability manifests as modification of the global Object.prototype, one way to detect exploitation attempts is to monitor for unexpected properties on Object.prototype, such as the presence of a 'polluted' property or other suspicious keys."}, {'type': 'paragraph', 'content': 'Suggested commands or checks include running JavaScript code in the environment to test for prototype pollution, for example:'}, {'type': 'list_item', 'content': 'Injecting a payload with nested __proto__ properties and then checking if Object.prototype has been modified, e.g., running `console.log({}.polluted);` after passing a crafted payload.'}, {'type': 'list_item', 'content': 'Reviewing application logs or network traffic for suspicious JSON inputs containing __proto__, constructor, or prototype keys.'}, {'type': 'list_item', 'content': 'Using static code analysis or searching source code for usage of the extend function and whether it processes untrusted input.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Currently, there are no known patches or official vendor mitigations available for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Avoid passing unsanitized or user-controlled input to the WebAudioRecorder constructor's configuration object."}, {'type': 'list_item', 'content': 'Implement input validation and sanitization to filter out dangerous property names such as __proto__, constructor, and prototype before they reach the vulnerable extend function.'}, {'type': 'list_item', 'content': 'Consider replacing the affected higuma web-audio-recorder-js library with an alternative library that does not have this vulnerability.'}, {'type': 'list_item', 'content': 'Monitor for suspicious activity that may indicate exploitation attempts, such as unexpected modifications to Object.prototype.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2964. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart