CVE-2026-2964
Prototype Pollution in higuma web-audio-recorder-js Remote Exploit
Publication date: 2026-02-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| higuma | webaudiorecorder.js | 0.1.1 |
| higuma | webaudiorecorder.js | 0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact confidentiality, integrity, and availability of the affected system by allowing an attacker to modify the global Object.prototype.
Such prototype pollution can lead to unexpected behavior in the application, potentially enabling remote code execution, privilege escalation, or denial of service depending on how the polluted objects are used.
However, the exploitability is considered low because most implementations use hardcoded configuration objects rather than user-supplied input, so exploitation requires that the application directly uses unvalidated user input for configuration.
No known patches or countermeasures are currently available, so affected users are advised to consider replacing the vulnerable library.
Can you explain this vulnerability to me?
CVE-2026-2964 is a prototype pollution vulnerability found in the higuma web-audio-recorder-js library versions 0.1 and 0.1.1, specifically in the function extend within the file lib/WebAudioRecorder.js that handles dynamic configuration.
The vulnerability arises because the extend function improperly manages input attributes used to initialize or update objects, failing to restrict modifications to the object prototype. This allows an attacker to manipulate Object.prototype globally by passing specially crafted input containing dangerous property names such as __proto__, constructor, or prototype.
The vulnerable code recursively merges source objects into a target object without filtering out hazardous keys, enabling prototype pollution if user input is unsanitized and passed to the configuration parameter.
Exploitation is possible remotely but considered difficult, and a proof-of-concept exploit is publicly available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves prototype pollution in the higuma web-audio-recorder-js library's extend function, which can be exploited if user input is unsanitized and passed to the configuration object."}, {'type': 'paragraph', 'content': "Detection involves checking if the application uses the vulnerable versions (0.1 or 0.1.1) of the higuma web-audio-recorder-js library and whether it passes untrusted user input to the WebAudioRecorder constructor's configs parameter."}, {'type': 'paragraph', 'content': "Since the vulnerability manifests as modification of the global Object.prototype, one way to detect exploitation attempts is to monitor for unexpected properties on Object.prototype, such as the presence of a 'polluted' property or other suspicious keys."}, {'type': 'paragraph', 'content': 'Suggested commands or checks include running JavaScript code in the environment to test for prototype pollution, for example:'}, {'type': 'list_item', 'content': 'Injecting a payload with nested __proto__ properties and then checking if Object.prototype has been modified, e.g., running `console.log({}.polluted);` after passing a crafted payload.'}, {'type': 'list_item', 'content': 'Reviewing application logs or network traffic for suspicious JSON inputs containing __proto__, constructor, or prototype keys.'}, {'type': 'list_item', 'content': 'Using static code analysis or searching source code for usage of the extend function and whether it processes untrusted input.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, there are no known patches or official vendor mitigations available for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Avoid passing unsanitized or user-controlled input to the WebAudioRecorder constructor's configuration object."}, {'type': 'list_item', 'content': 'Implement input validation and sanitization to filter out dangerous property names such as __proto__, constructor, and prototype before they reach the vulnerable extend function.'}, {'type': 'list_item', 'content': 'Consider replacing the affected higuma web-audio-recorder-js library with an alternative library that does not have this vulnerability.'}, {'type': 'list_item', 'content': 'Monitor for suspicious activity that may indicate exploitation attempts, such as unexpected modifications to Object.prototype.'}] [1, 2]