CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Last updated
Overview
CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
297 recorded CVEs are caused by CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 88 new CWE-1321 CVEs have been recorded so far in 2026 (70 in 2025).
- CVE-2026-34621CISA KEV
Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
Critical · CVSS 9.3 · EPSS 94th2026-04-11 - CVE-2026-44005
vm2: Sandbox escape
Critical · CVSS 10.0 · EPSS 54th2026-05-13 - CVE-2026-25881
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)
Critical · CVSS 10.0 · EPSS 42th2026-02-09 - CVE-2026-25150
Prototype Pollution via FormData Processing in Qwik City
Critical · CVSS 10.0 · EPSS 46th2026-02-03 - CVE-2024-39008Critical · CVSS 10.0 · EPSS 56th2024-07-01
- CVE-2024-38999Critical · CVSS 10.0 · EPSS 51th2024-07-01
- CVE-2023-26121Critical · CVSS 10.0 · EPSS 62th2023-04-11
- CVE-2022-29823Critical · CVSS 10.0 · EPSS 69th2022-10-25
- CVE-2026-49252
deepstream is vulnerable to prototype pollution
Critical · CVSS 9.9 · EPSS 19th2026-06-18 - CVE-2026-32621
Apollo Federation has prototype pollution via incomplete key sanitization
Critical · CVSS 9.9 · EPSS 40th2026-03-13 - CVE-2025-25015
Kibana arbitrary code execution via prototype pollution
Critical · CVSS 9.9 · EPSS 66th2025-03-05 - CVE-2026-57926Critical · CVSS 9.8 · EPSS 8th2026-06-26
Showing 12 of 297 recorded CWE-1321 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1321 vulnerabilitiesCommon consequences
What can happen when CWE-1321 is exploited.
Read Application Data, Modify Application Data
Affects: Confidentiality, Integrity, Availability
This weakness is usually exploited by using a special attribute of objects called proto, constructor, or prototype. Such attributes give access to the object prototype. An attacker can inject attributes that are used in other components by adding or modifying attributes of an object prototype. This creates attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the product depends on existence or non-existence of certain attributes, or uses pre-defined attributes of the object prototype (such as hasOwnProperty, toString, or valueOf).
DoS: Crash, Exit, or Restart
Affects: Availability
An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-1321, grouped by where in the lifecycle they apply.
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Effectiveness: High — While this can mitigate this weakness completely, other methods are recommended when possible, especially in components used by upstream software ("libraries").
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Effectiveness: High
When handling untrusted objects, validating using a schema can be used.
Effectiveness: Limited
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Effectiveness: High
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
Effectiveness: Moderate
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This function sets object attributes based on a dot-separated path.
Vulnerable example
function setValueByPath (object, path, value) {Vulnerable example
setValueByPath({}, "__proto__.isAdmin", true)Safe example
function setValueByPath (object, path, value) {Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2018-3721 — Prototype pollution by merging objects.
- CVE-2019-10744 — Prototype pollution by setting default values to object attributes recursively.
- CVE-2019-11358 — Prototype pollution by merging objects recursively.
- CVE-2020-8203 — Prototype pollution by setting object attributes based on dot-separated path.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1321.
- What is CWE-1321?
- The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
- What CVEs are caused by CWE-1321?
- 297 recorded CVEs are attributed to CWE-1321, including CVE-2026-34621, CVE-2026-44005, CVE-2026-25881. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-1321?
- By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
- How is CWE-1321 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1321?
- Exploiting CWE-1321 can lead to: Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart.
- Is CWE-1321 actively exploited?
- Yes. 1 CWE-1321 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 297 recorded CVEs.
References
- MITRE CWE definition (CWE-1321) (opens in a new tab)
- CWE-1321 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1321
Get alerted the moment a new CWE-1321 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.