PT-2026-50745 · Npm · Jodit

Publicado

2026-06-18

Atualizado

2026-06-18

CVE-2026-55886

CVSS v4.0

6.9

Média

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

Jodit.modules.Helpers.set(chain, value, obj) walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) proto, constructor, or prototype lets the final assignment reach and mutate Object.prototype (prototype pollution).

Affected

Package: jodit (npm)
Versions: < 4.12.26
Public API: Jodit.modules.Helpers.set(chain, value, obj)

Proof of Concept

const { Jodit } = require('jodit');
delete Object.prototype.polluted;
Jodit.modules.Helpers.set(' proto .polluted', 'yes', {});
console.log(({}).polluted); // "yes" (before the fix)
delete Object.prototype.polluted;

Impact

Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.

Patch

Fixed in 4.12.26 by rejecting any chain whose segments include proto, constructor, or prototype, reusing the same guard introduced for Jodit.configure() in 4.12.18.

Credit

Responsibly reported by Junming Wu.

Correção

Prototype Pollution

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1321

Identificadores relacionados

CVE-2026-55886

GHSA-VPMM-X3FM-QR5C

Produtos afetados

Jodit

PT-2026-50745 · Npm · Jodit

CVE-2026-55886

Summary

Affected

Proof of Concept

Impact

Patch

Credit

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3