jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
### Summary `Jodit.modules.Helpers.set(chain, value, obj)` walks the dot-separated `chain`, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) `__proto__`, `constructor`, or `prototype` lets the final assignment reach and mutate `Object.prototype` (prototype pollution). ### Affected - Package: `jodit` (npm) - Versions: `< 4.12.26` - Public API: `Jodit.modules.Helpers.set(chain, value, obj)` ### Proof of Concept ```js const { Jodit } = require('jodit'); delete Object.prototype.polluted; Jodit.modules.Helpers.set('__proto__.polluted', 'yes', {}); console.log(({}).polluted); // "yes" (before the fix) delete Object.prototype.polluted; ``` ### Impact Applications that pass a user-controlled or partially user-controlled key path into `Jodit.modules.Helpers.set()` could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues. ### Patch Fixed in 4.12.26 by rejecting any `chain` whose segments include `__proto__`, `constructor`, or `prototype`, reusing the same guard introduced for `Jodit.configure()` in 4.12.18. ### Credit Responsibly reported by Junming Wu.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-18 13:05 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.