PT-2026-50745 · Npm · Jodit

Published

2026-06-18

Updated

2026-06-18

CVE-2026-55886

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

Jodit.modules.Helpers.set(chain, value, obj) walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) proto, constructor, or prototype lets the final assignment reach and mutate Object.prototype (prototype pollution).

Affected

Package: jodit (npm)
Versions: < 4.12.26
Public API: Jodit.modules.Helpers.set(chain, value, obj)

Proof of Concept

const { Jodit } = require('jodit');
delete Object.prototype.polluted;
Jodit.modules.Helpers.set(' proto .polluted', 'yes', {});
console.log(({}).polluted); // "yes" (before the fix)
delete Object.prototype.polluted;

Impact

Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.

Patch

Fixed in 4.12.26 by rejecting any chain whose segments include proto, constructor, or prototype, reusing the same guard introduced for Jodit.configure() in 4.12.18.

Credit

Responsibly reported by Junming Wu.

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

CVE-2026-55886

GHSA-VPMM-X3FM-QR5C

Affected Products

Jodit

PT-2026-50745 · Npm · Jodit

CVE-2026-55886

Summary

Affected

Proof of Concept

Impact

Patch

Credit

Weakness Enumeration

Related Identifiers

Affected Products

References · 3