CVE-2026-27837
published 2026-02-26CVE-2026-27837: Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.30%
22.0th percentile
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-dottie | < node-dottie 2.0.7+~2.0.7-1 (forky) | node-dottie 2.0.7+~2.0.7-1 (forky) |
| dottie_project | dottie | >= 2.0.4 < 2.0.7 | 2.0.7 |
| dottie_project | dottie | >= 2.0.4 < 2.0.7 | 2.0.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
vendor_redhat·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] CWE-915 dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
dottie.js: dottie.js: Unauthorized object modification via prototype pollution bypass
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
A flaw was found in dottie.js, a JavaScript library for nested object access and manipulation. An incomplete fix for a previous vulnerability allows a remote attacker to bypass prototype pollution protectio
Debian
CVE-2026-27837: node-dottie - Dottie provides nested object access and manipulation in JavaScript. Versions 2....
vendor_debian·2026·CVSS 7.5
CVE-2026-27837 [HIGH] CVE-2026-27837: node-dottie - Dottie provides nested object access and manipulation in JavaScript. Versions 2....
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.0.7+~2.0.7-1)
sid: resolved (fixed in 2.0.7+~2.0.7-1)
trixie: open
GHSA
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
ghsa·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] CWE-1321 dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
### Summary
dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first.
Both `dottie.set()` and `dottie.transform()` are affected.
### Details
The existing guard checks only `pieces[0] === '__proto__'`. When a path like `'a.__proto__.polluted'` is used, `pieces[0]` evaluates to `'a'`, not `'__proto__'`, so the guard is bypassed.
Inside the traversal loop, `current['__proto__'] = {}` triggers the `__proto__` setter, replacing the intermedi
OSV
CVE-2026-27837: Dottie provides nested object access and manipulation in JavaScript
osv·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] CVE-2026-27837: Dottie provides nested object access and manipulation in JavaScript
Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.
OSV
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
osv·2026-02-26·CVSS 7.5
CVE-2026-27837 [HIGH] dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
### Summary
dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first.
Both `dottie.set()` and `dottie.transform()` are affected.
### Details
The existing guard checks only `pieces[0] === '__proto__'`. When a path like `'a.__proto__.polluted'` is used, `pieces[0]` evaluates to `'a'`, not `'__proto__'`, so the guard is bypassed.
Inside the traversal loop, `current['__proto__'] = {}` triggers the `__proto__` setter, replacing the intermedi
No detection rules found.
No public exploits indexed.
2026-02-26
Published