GHSA-hp36-v28f-w3r4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hp36-v28f-w3r4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-hp36-v28f-w3r4/GHSA-hp36-v28f-w3r4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hp36-v28f-w3r4
- Aliases
-
- CVE-2026-55091
- Published
- 2026-06-19T20:47:52Z
- Modified
- 2026-06-19T21:00:15.642604419Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key
- Details
-
Summary
convert()builds the nested tree by using each flat record'sidandparentfield values directly as object keys, with no guard against__proto__/constructor/prototype. A record whoseparentis the string"__proto__"makestemp[parent]resolve toObject.prototype, and the followinginitPush(...)writes attacker-controlled data onto the global prototype. Any application that passes attacker-influenced records toconvert()is affected, and the base prototype methods stay intact so the pollution is stealthy.### Details In
index.js,convert()(FlatToNested.prototype.convert):temp = {}(line 45) andpendingChildOf = {}(line 46) are plain objects, so they inherit fromObject.prototype.- For each record,
parent = flatEl[this.config.parent](line 51) is taken verbatim from input. - Line 57:
if (temp[parent] !== undefined)— whenparent === "__proto__",temp["__proto__"]resolves via the prototype chain toObject.prototype, which is!== undefined, so the branch is taken. - Line 59:
initPush(this.config.children, temp[parent], flatEl)→ effectivelyinitPush("children", Object.prototype, flatEl). initPush(lines 4-9):Object.prototype["children"] = []thenObject.prototype["children"].push(flatEl)— attacker-controlled data is written onto the globalObject.prototype.There is no sanitization of
id/parentanywhere; they flow straight intotemp[id],temp[parent], andpendingChildOf[parent]as dynamic keys.### PoC ```js const FlatToNested = require('flat-to-nested');
new FlatToNested().convert([ { id: 1, parent: 'proto', polluted: 'PWNED' } ]);
console.log(({}).children); // => [ { id: 1, polluted: 'PWNED' } ] A freshly-created, unrelated object {} now carries an attacker-controlled children property. ({}).toString === Object.prototype.toString remains true, so existing methods are untouched (stealthy). If the consumer configures a custom children key, that arbitrary prototype property is polluted instead. ```
### Impact
Prototype pollution (CWE-1321). Any service that builds a tree from attacker-influenced flat records (the package's core purpose — e.g. records derived from a DB/REST/user input) can have Object.prototype polluted. Consequences range from application-logic corruption and denial of service to serving as a gadget toward privilege escalation or RCE depending on downstream sinks. No special privileges or user interaction required; the malicious value is ordinary input data.
### Suggested fix
Use prototype-less lookup tables so inherited keys like proto cannot be reached: var temp = Object.create(null); var pendingChildOf = Object.create(null); (Optionally also reject id/parent values equal to proto, constructor, or prototype.) Verified: with Object.create(null) for both temp and pendingChildOf, the PoC no longer pollutes Object.prototype and normal nesting output is unchanged. A patch with a regression test is ready.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-19T20:47:52Z", "nvd_published_at": null, "severity": "HIGH", "cwe_ids": [ "CWE-1321", "CWE-915" ] }- References
Affected packages
npm / flat-to-nested
Package
- Name
- flat-to-nested
- View open source insights on deps.dev
- Purl
- pkg:npm/flat-to-nested