Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code allows properties to be dynamically assigned to objects without checking if the property name is ‘proto’, ‘constructor’, or similar prototype keys. This can let attackers modify the prototype of built-in objects, leading to unexpected behavior across your application.
Impact#
If exploited, attackers could inject or overwrite properties on all objects, potentially bypassing security checks, altering application logic, or causing data corruption. This may lead to security breaches, data leaks, or application crashes that are difficult to trace.