CVE-2026-16151
Received Received - Intake

Improper Prototype Pollution in CartoDB carto-api-client

Vulnerability report for CVE-2026-16151, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability has been found in CartoDB carto-api-client 0.5.29. This impacts the function addFilter of the file src/filters.ts. Such manipulation of the argument column leads to improperly controlled modification of object prototype attributes. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-19
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cartodb carto-api-client 0.5.29

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a prototype pollution vulnerability in the CartoDB carto-api-client library version 0.5.29. The issue occurs in the addFilter function of src/filters.ts where the column parameter is used as a dynamic property name without validation. When column is set to __proto__, it allows modifying Object.prototype by writing filter data directly to it. This bypasses normal checks and can cause unintended property inheritance across all objects in the application.

The vulnerability arises because filters[column] resolves to Object.prototype when column is __proto__, enabling direct assignment of properties to the prototype. This can disrupt application logic, cause unexpected behavior, or lead to denial of service by affecting property existence checks and default objects.

Detection Guidance

To detect this prototype pollution vulnerability in carto-api-client 0.5.29, inspect JavaScript/TypeScript applications using this library for improper handling of the addFilter function. Check if user-controlled input is passed as the column parameter without validation. Look for dynamic property assignments using Object.prototype or similar primitives.

Impact Analysis

This vulnerability can impact applications using untrusted or partially trusted filter options. It may cause unexpected behavior, logic bypasses, or denial of service by disrupting property checks and default objects. Attackers could manipulate application behavior through prototype pollution, potentially gaining unintended control over application logic or data processing.

Compliance Impact

This vulnerability could indirectly impact compliance with GDPR and HIPAA by enabling prototype pollution attacks that may lead to unauthorized data access, modification, or denial of service. Such attacks could compromise data integrity or availability, which are key requirements under these regulations. However, the specific impact depends on how the vulnerable library is used in a system handling personal or health data.

Mitigation Strategies

Immediately update to a patched version of carto-api-client if available. If not, implement input validation to reject prototype pollution primitives like __proto__, prototype, and constructor. Validate dynamic keys and ensure filters[column] checks own properties only. Use Object.create(null) for filter maps and add runtime validation for the type parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16151. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart