CVE-2023-26132
published 2023-06-10CVE-2023-26132: Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.06%
60.4th percentile
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-dottie | < node-dottie 2.0.7+~2.0.7-1 (forky) | node-dottie 2.0.7+~2.0.7-1 (forky) |
| debian | node-dottie | < node-dottie 2.0.2-4+deb12u1 (bookworm) | node-dottie 2.0.2-4+deb12u1 (bookworm) |
| dottie_project | dottie | < 2.0.4 | 2.0.4 |
| dottie_project | dottie | >= 0 < 2.0.4 | 2.0.4 |
| dottie_project | dottie | >= 2.0.4 < 2.0.7 | 2.0.7 |
| dottie_project | dottie | >= 2.0.4 < 2.0.7 | 2.0.7 |
| mickhansen | dottie.js | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
vendor_redhat·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] CWE-915 dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
A flaw was found in dottie.js, a JavaScript library for nested object access and manipulation. An incomplete fix for a previous vulnerability allows a remote attacker to bypass prototype pollution protectio
Ubuntu
Dottie vulnerability
vendor_ubuntu·2026-02-12
CVE-2023-26132 Dottie vulnerability
Title: Dottie vulnerability
Summary: Dottie could be made to run programs if it received specially crafted
network traffic.
Yuhan Gao and Peng Zhou discovered that Dottie was vulnerable to prototype
pollution when altering the __proto__ magical attribute. An attacker could
possibly use this issue to achieve remote code execution.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2026-27837: node-dottie - Dottie provides nested object access and manipulation in JavaScript. Versions 2....
vendor_debian·2026·CVSS 7.5
CVE-2026-27837 [HIGH] CVE-2026-27837: node-dottie - Dottie provides nested object access and manipulation in JavaScript. Versions 2....
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.0.7+~2.0.7-1)
sid: resolved (fixed in 2.0.7+~2.0.7-1)
trixie: open
Debian
CVE-2023-26132: node-dottie - Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollutio...
vendor_debian·2023·CVSS 7.5
CVE-2023-26132 [HIGH] CVE-2023-26132: node-dottie - Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollutio...
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.
Scope: local
bookworm: resolved (fixed in 2.0.2-4+deb12u1)
bullseye: resolved (fixed in 2.0.2-1+deb11u1)
forky: resolved (fixed in 2.0.6+~2.0.5-1)
sid: resolved (fixed in 2.0.6+~2.0.5-1)
trixie: resolved (fixed in 2.0.6+~2.0.5-1)
GHSA
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
ghsa·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] CWE-1321 dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
### Summary
dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first.
Both `dottie.set()` and `dottie.transform()` are affected.
### Details
The existing guard checks only `pieces[0] === '__proto__'`. When a path like `'a.__proto__.polluted'` is used, `pieces[0]` evaluates to `'a'`, not `'__proto__'`, so the guard is bypassed.
Inside the traversal loop, `current['__proto__'] = {}` triggers the `__proto__` setter, replacing the intermedi
OSV
CVE-2026-27837: Dottie provides nested object access and manipulation in JavaScript
osv·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] CVE-2026-27837: Dottie provides nested object access and manipulation in JavaScript
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
OSV
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
osv·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
### Summary
dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first.
Both `dottie.set()` and `dottie.transform()` are affected.
### Details
The existing guard checks only `pieces[0] === '__proto__'`. When a path like `'a.__proto__.polluted'` is used, `pieces[0]` evaluates to `'a'`, not `'__proto__'`, so the guard is bypassed.
Inside the traversal loop, `current['__proto__'] = {}` triggers the `__proto__` setter, replacing the intermedi
GHSA
dottie vulnerable to Prototype Pollution
ghsa·2023-06-10
CVE-2023-26132 [HIGH] CWE-1321 dottie vulnerable to Prototype Pollution
dottie vulnerable to Prototype Pollution
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the `set()` function and the current variable in the `/dottie.js` file.
OSV
CVE-2023-26132: Versions of the package dottie before 2
osv·2023-06-10·CVSS 7.5
CVE-2023-26132 [HIGH] CVE-2023-26132: Versions of the package dottie before 2
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.
OSV
dottie vulnerable to Prototype Pollution
osv·2023-06-10
CVE-2023-26132 [HIGH] dottie vulnerable to Prototype Pollution
dottie vulnerable to Prototype Pollution
Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the `set()` function and the current variable in the `/dottie.js` file.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763https://github.com/mickhansen/dottie.js/blob/b48e22714aae4489ea6276452f22cc61980ba5a4/dottie.js%23L107https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
2023-06-10
Published